From 4631d0c4829e8af427818a2499dbdbdeb433149d Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 19 Jan 2022 18:23:30 +0100 Subject: [PATCH] remove invalid tag --- rules/apt/apt_silence_downloader_v3.yml | 1 - rules/apt/apt_silence_eda.yml | 2 -- .../aws/aws_cloudtrail_disable_logging.yml | 1 - .../aws/aws_config_disable_recording.yml | 1 - .../aws/aws_ec2_startup_script_change.yml | 3 --- rules/cloud/aws/aws_guardduty_disruption.yml | 1 - rules/cloud/aws/aws_root_account_usage.yml | 1 - .../auditd/lnx_auditd_alter_bash_profile.yml | 1 - .../lnx_auditd_auditing_config_change.yml | 1 - .../auditd/lnx_auditd_create_account.yml | 1 - .../lnx_auditd_logging_config_change.yml | 1 - .../linux/builtin/lnx_sudo_cve_2019_14287.yml | 1 - .../builtin/lnx_sudo_cve_2019_14287_user.yml | 1 - .../process_creation/macos_create_account.yml | 1 - .../lnx_security_tools_disabling_syslog.yml | 1 - .../lnx_security_tools_disabling.yml | 1 - .../lnx_webshell_detection.yml | 1 - .../cisco/aaa/cisco_cli_clear_logs.yml | 1 - .../cisco/aaa/cisco_cli_collect_data.yml | 3 --- .../cisco/aaa/cisco_cli_crypto_actions.yml | 2 -- .../cisco/aaa/cisco_cli_disable_logging.yml | 1 - rules/network/cisco/aaa/cisco_cli_dos.yml | 1 - .../cisco/aaa/cisco_cli_file_deletion.yml | 3 --- .../cisco/aaa/cisco_cli_input_capture.yml | 1 - .../cisco/aaa/cisco_cli_local_accounts.yml | 1 - .../cisco/aaa/cisco_cli_modify_config.yml | 2 -- .../cisco/aaa/cisco_cli_moving_data.yml | 1 - rules/network/net_dns_c2_detection.yml | 2 -- .../net_firewall_high_dns_bytes_out.yml | 1 - .../net_firewall_high_dns_requests_rate.yml | 2 -- rules/network/net_high_dns_bytes_out.yml | 1 - rules/network/net_high_dns_requests_rate.yml | 2 -- .../net_high_null_records_requests_rate.yml | 2 -- .../net_high_txt_records_requests_rate.yml | 2 -- rules/network/net_mal_dns_cobaltstrike.yml | 1 - rules/network/net_susp_dns_b64_queries.yml | 2 -- .../network/net_susp_dns_txt_exec_strings.yml | 1 - rules/network/net_susp_telegram_api.yml | 1 - .../zeek_dce_rpc_domain_user_enumeration.yml | 1 - .../zeek_dce_rpc_mitre_bzar_execution.yml | 2 -- .../zeek_dce_rpc_mitre_bzar_persistence.yml | 1 - rules/network/zeek/zeek_dns_mining_pools.yml | 1 - .../zeek/zeek_dns_suspicious_zbit_flag.yml | 3 +-- .../network/zeek/zeek_rdp_public_listener.yml | 1 - .../zeek_smb_converted_win_atsvc_task.yml | 1 - ..._smb_converted_win_impacket_secretdump.yml | 1 - .../zeek_smb_converted_win_lm_namedpipe.yml | 1 - .../zeek_smb_converted_win_susp_psexec.yml | 1 - ...ransferring_files_with_credential_data.yml | 1 - rules/network/zeek/zeek_susp_kerberos_rc4.yml | 1 - rules/proxy/proxy_apt40.yml | 2 -- rules/proxy/proxy_chafer_malware.yml | 1 - rules/proxy/proxy_cobalt_amazon.yml | 2 +- rules/proxy/proxy_cobalt_malformed_uas.yml | 1 - rules/proxy/proxy_cobalt_ocsp.yml | 1 - rules/proxy/proxy_cobalt_onedrive.yml | 1 - .../proxy_download_susp_tlds_blacklist.yml | 1 - .../proxy_download_susp_tlds_whitelist.yml | 1 - rules/proxy/proxy_downloadcradle_webdav.yml | 1 - rules/proxy/proxy_empire_ua_uri_combos.yml | 1 - rules/proxy/proxy_ios_implant.yml | 1 - rules/proxy/proxy_pwndrop.yml | 2 -- .../proxy/proxy_raw_paste_service_access.yml | 2 -- rules/proxy/proxy_susp_flash_download_loc.yml | 2 -- rules/proxy/proxy_telegram_api.yml | 2 -- rules/proxy/proxy_turla_comrat.yml | 1 - rules/proxy/proxy_ursnif_malware_c2_url.yml | 2 -- rules/web/web_apache_segfault.yml | 1 - .../web_cve_2018_2894_weblogic_exploit.yml | 1 - .../web_cve_2020_14882_weblogic_exploit.yml | 1 - rules/web/web_cve_2020_3452_cisco_asa_ftd.yml | 1 - rules/web/web_webshell_keyword.yml | 1 - rules/web/win_powershell_snapins_hafnium.yml | 1 - rules/web/win_webshell_regeorg.yml | 1 - .../application/win_susp_backup_delete.yml | 1 - .../application/win_susp_msmpeng_crash.yml | 1 - .../security/win_account_discovery.yml | 1 - .../win_ad_object_writedac_access.yml | 1 - ...win_ad_replication_non_machine_account.yml | 1 - .../security/win_ad_user_enumeration.yml | 1 - .../builtin/security/win_admin_rdp_login.yml | 1 - .../security/win_admin_share_access.yml | 1 - .../win_alert_enable_weak_encryption.yml | 1 - .../builtin/security/win_alert_ruler.yml | 1 - .../win_apt_chafer_mar18_security.yml | 3 --- .../builtin/security/win_apt_wocao.yml | 3 --- ...ary_shell_execution_via_settingcontent.yml | 1 - .../builtin/security/win_atsvc_task.yml | 1 - rules/windows/builtin/security/win_dcsync.yml | 1 - .../builtin/security/win_defender_bypass.yml | 1 - .../security/win_disable_event_logging.yml | 1 - .../win_dpapi_domain_backupkey_extraction.yml | 1 - ..._dpapi_domain_masterkey_backup_attempt.yml | 1 - .../security/win_event_log_cleared.yml | 1 - .../win_global_catalog_enumeration.yml | 1 - .../security/win_gpo_scheduledtasks.yml | 1 - .../security/win_impacket_secretdump.yml | 1 - .../builtin/security/win_lm_namedpipe.yml | 1 - .../win_lsass_access_non_system_account.yml | 1 - .../win_metasploit_authentication.yml | 1 - .../security/win_net_ntlm_downgrade.yml | 1 - .../win_net_share_obj_susp_desktop_ini.yml | 1 - .../security/win_not_allowed_rdp_access.yml | 1 - .../security/win_overpass_the_hash.yml | 1 - .../builtin/security/win_pass_the_hash.yml | 1 - .../builtin/security/win_pass_the_hash_2.yml | 1 - .../win_protected_storage_service_access.yml | 1 - .../security/win_rare_schtasks_creations.yml | 1 - .../security/win_rdp_localhost_login.yml | 1 - .../security/win_rdp_reverse_tunnel.yml | 2 -- ...n_register_new_logon_process_by_rubeus.yml | 1 - .../win_remote_powershell_session.yml | 1 - .../security/win_scheduled_task_deletion.yml | 1 - .../security/win_security_mal_creddumper.yml | 2 -- .../win_security_mal_service_installs.yml | 2 -- ...cobaltstrike_getsystem_service_install.yml | 1 - .../security/win_security_wmi_persistence.yml | 1 - .../security/win_susp_add_sid_history.yml | 1 - .../win_susp_codeintegrity_check_failure.yml | 1 - .../security/win_susp_eventlog_cleared.yml | 1 - .../security/win_susp_ldap_dataexchange.yml | 1 - .../win_susp_local_anon_logon_created.yml | 1 - .../builtin/security/win_susp_lsass_dump.yml | 1 - .../security/win_susp_lsass_dump_generic.yml | 1 - .../security/win_susp_net_recon_activity.yml | 2 -- .../builtin/security/win_susp_psexec.yml | 1 - .../security/win_susp_rc4_kerberos.yml | 1 - .../security/win_susp_rottenpotato.yml | 1 - .../builtin/security/win_susp_sdelete.yml | 2 -- .../security/win_susp_time_modification.yml | 1 - ...uspicious_outbound_kerberos_connection.yml | 1 - .../security/win_svcctl_remote_service.yml | 1 - ...ith_credential_data_via_network_shares.yml | 1 - ...ileged_service_lsaregisterlogonprocess.yml | 1 - .../builtin/security/win_user_creation.yml | 1 - .../security/win_user_driver_loaded.yml | 1 - .../system/win_apt_carbonpaper_turla.yml | 1 - .../system/win_apt_chafer_mar18_system.yml | 3 --- .../builtin/system/win_apt_stonedrill.yml | 1 - .../system/win_apt_turla_service_png.yml | 1 - .../builtin/system/win_hack_smbexec.yml | 2 -- .../builtin/system/win_mal_creddumper.yml | 2 -- ...tstrike_getsystem_service_installation.yml | 1 - ...rkspwdump_clearing_hive_access_history.yml | 1 - .../system/win_rare_service_installs.yml | 1 - .../builtin/system/win_susp_dhcp_config.yml | 1 - .../system/win_susp_dhcp_config_failed.yml | 1 - .../builtin/system/win_susp_sam_dump.yml | 1 - .../system/win_system_defender_disabled.yml | 1 - .../win_system_susp_eventlog_cleared.yml | 1 - .../builtin/system/win_tool_psexec.yml | 1 - .../builtin/win_alert_mimikatz_keywords.yml | 1 - .../sysmon_cactustorch.yml | 2 -- .../sysmon_cobaltstrike_process_injection.yml | 1 - .../sysmon_createremotethread_loadlibrary.yml | 1 - .../sysmon_password_dumper_lsass.yml | 1 - .../sysmon_susp_powershell_rundll32.yml | 2 -- .../sysmon_ads_executable.yml | 1 - .../powershell_suspicious_download.yml | 1 - ...wershell_suspicious_invocation_generic.yml | 1 - ...ershell_suspicious_invocation_specific.yml | 1 - .../dns_query/dns_net_mal_cobaltstrike.yml | 1 - .../dns_query_regsvr32_network_activity.yml | 2 -- .../driver_load_mal_creddumper.yml | 2 -- ...tstrike_getsystem_service_installation.yml | 1 - .../driver_load/driver_load_susp_temp_use.yml | 1 - .../file_event_apt_unidentified_nov_18.yml | 1 - .../file_event/file_event_hack_dumpert.yml | 1 - .../file_event_hktl_createminidump.yml | 1 - .../file_event/file_event_lsass_dump.yml | 1 - .../file_event/file_event_mal_adwind.yml | 1 - .../file_event/file_event_tool_psexec.yml | 1 - .../sysmon_creation_system_file.yml | 1 - .../sysmon_cred_dump_tools_dropped_files.yml | 1 - .../sysmon_ghostpack_safetykatz.yml | 1 - ...sysmon_lsass_memory_dump_file_creation.yml | 1 - .../file_event/sysmon_office_persistence.yml | 1 - .../sysmon_powershell_exploit_scripts.yml | 1 - .../file_event/sysmon_quarkspw_filedump.yml | 1 - .../sysmon_susp_adsi_cache_usage.yml | 1 - .../file_event/sysmon_susp_desktop_ini.yml | 1 - ...cexplorer_driver_created_in_tmp_folder.yml | 1 - .../sysmon_webshell_creation_detect.yml | 1 - ...ersistence_script_event_consumer_write.yml | 1 - .../sysmon_abusing_azure_browser_sso.yml | 1 - .../sysmon_in_memory_powershell.yml | 1 - .../image_load/sysmon_susp_fax_dll.yml | 2 -- .../image_load/sysmon_susp_image_load.yml | 1 - ...n_susp_office_dotnet_assembly_dll_load.yml | 1 - ...sysmon_susp_office_dotnet_clr_dll_load.yml | 1 - ...sysmon_susp_office_dotnet_gac_dll_load.yml | 1 - .../sysmon_susp_office_dsparse_dll_load.yml | 1 - .../sysmon_susp_office_kerberos_dll_load.yml | 1 - .../sysmon_susp_winword_vbadll_load.yml | 1 - ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 1 - ...sysmon_svchost_dll_search_order_hijack.yml | 2 -- ...ysmon_unsigned_image_loaded_into_lsass.yml | 1 - ...persistence_commandline_event_consumer.yml | 1 - rules/windows/malware/av_webshell.yml | 1 - .../sysmon_dllhost_net_connections.yml | 1 - .../sysmon_malware_backconnect_ports.yml | 1 - .../sysmon_powershell_network_connection.yml | 1 - .../sysmon_rdp_reverse_tunnel.yml | 1 - .../sysmon_regsvr32_network_activity.yml | 14 +++++------ ...smon_remote_powershell_session_network.yml | 2 -- .../sysmon_rundll32_net_connections.yml | 1 - .../network_connection/sysmon_susp_rdp.yml | 1 - ...uspicious_outbound_kerberos_connection.yml | 2 -- .../sysmon_win_binary_github_com.yml | 1 - ..._applocker_file_was_not_allowed_to_run.yml | 4 --- .../other/dns_server/win_susp_dns_config.yml | 1 - .../windows/other/ntlm/win_susp_ntlm_auth.yml | 1 - .../win_rare_schtask_creation.yml | 1 - .../windefend/win_alert_lsass_access.yml | 1 - .../other/windefend/win_defender_disabled.yml | 1 - .../windefend/win_defender_exclusions.yml | 1 - .../windefend/win_defender_psexec_wmi_asr.yml | 1 - ...win_defender_tamper_protection_trigger.yml | 1 - .../windows/other/wmi/win_wmi_persistence.yml | 1 - .../pipe_created/pipe_created_tool_psexec.yml | 1 - ...sysmon_alternate_powershell_hosts_pipe.yml | 1 - .../sysmon_cred_dump_tools_named_pipes.yml | 1 - .../posh_pc_alternate_powershell_hosts.yml | 1 - .../posh_pc_downgrade_attack.yml | 1 - .../posh_pc_exe_calling_ps.yml | 1 - .../posh_pc_remote_powershell_session.yml | 2 -- .../posh_pc_renamed_powershell.yml | 1 - .../posh_pc_suspicious_download.yml | 1 - .../posh_pc_xor_commandline.yml | 1 - .../posh_pm_alternate_powershell_hosts.yml | 1 - .../posh_pm_bad_opsec_artifacts.yml | 1 - .../posh_pm_clear_powershell_history.yml | 1 - ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 1 - .../posh_pm_remote_powershell_session.yml | 2 -- .../posh_pm_suspicious_download.yml | 1 - .../posh_pm_suspicious_invocation_generic.yml | 1 - ...posh_pm_suspicious_invocation_specific.yml | 1 - .../posh_ps_create_local_user.yml | 4 +-- .../posh_ps_data_compressed.yml | 1 - .../posh_ps_dnscat_execution.yml | 1 - ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 1 - .../posh_ps_malicious_commandlets.yml | 1 - .../posh_ps_malicious_keywords.yml | 1 - .../posh_ps_nishang_malicious_commandlets.yml | 1 - .../posh_ps_ntfs_ads_access.yml | 2 -- .../posh_ps_prompt_credentials.yml | 1 - .../powershell_script/posh_ps_psattack.yml | 1 - .../posh_ps_shellcode_b64.yml | 1 - .../posh_ps_suspicious_download.yml | 1 - .../posh_ps_suspicious_invocation_generic.yml | 1 - ...posh_ps_suspicious_invocation_specific.yml | 1 - .../posh_ps_suspicious_keywords.yml | 1 - .../powershell_script/posh_ps_web_request.yml | 1 - .../posh_ps_winlogon_helper_dll.yml | 3 +-- .../powershell_script/posh_ps_wmimplant.yml | 1 - .../sysmon_cmstp_execution_by_access.yml | 2 -- .../sysmon_cred_dump_lsass_access.yml | 1 - .../sysmon_in_memory_assembly_execution.yml | 1 - .../process_access/sysmon_invoke_phantom.yml | 1 - .../process_access/sysmon_lsass_memdump.yml | 1 - .../sysmon_mimikatz_trough_winrm.yml | 3 --- .../win_susp_proc_access_lsass.yml | 1 - ...win_susp_proc_access_lsass_susp_source.yml | 1 - ...s_creation_apt_turla_commands_critical.yml | 1 - ...ess_creation_apt_turla_commands_medium.yml | 1 - .../process_creation_apt_wocao.yml | 3 --- ...cess_creation_dns_serverlevelplugindll.yml | 1 - .../process_creation_hack_dumpert.yml | 1 - ...ocess_creation_stickykey_like_backdoor.yml | 1 - .../process_creation_susp_web_request_cmd.yml | 1 - ...ss_creation_sysmon_uac_bypass_eventvwr.yml | 1 - .../process_creation_tool_psexec.yml | 2 -- .../sysmon_apt_muddywater_dnstunnel.yml | 1 - .../sysmon_cmstp_execution_by_creation.yml | 1 - .../process_creation/sysmon_hack_wce.yml | 1 - ...on_scripts_userinitmprlogonscript_proc.yml | 1 - .../wim_pc_apt_chafer_mar18.yml | 3 --- .../win_apt_apt29_thinktanks.yml | 2 -- .../process_creation/win_apt_babyshark.yml | 4 --- .../win_apt_bear_activity_gtr19.yml | 2 -- .../process_creation/win_apt_bluemashroom.yml | 1 - .../process_creation/win_apt_cloudhopper.yml | 1 - .../process_creation/win_apt_elise.yml | 1 - .../win_apt_emissarypanda_sep19.yml | 1 - .../process_creation/win_apt_empiremonkey.yml | 1 - .../win_apt_equationgroup_dll_u_load.yml | 1 - .../win_apt_evilnum_jul20.yml | 1 - .../win_apt_greenbug_may20.yml | 2 -- .../win_apt_judgement_panda_gtr19.yml | 2 -- .../win_apt_ke3chang_regadd.yml | 1 - .../win_apt_lazarus_session_highjack.yml | 1 - .../process_creation/win_apt_sofacy.yml | 2 -- .../process_creation/win_apt_ta17_293a_ps.yml | 1 - .../process_creation/win_apt_taidoor.yml | 1 - .../win_apt_tropictrooper.yml | 1 - .../win_apt_turla_comrat_may20.yml | 2 -- .../win_apt_unidentified_nov_18.yml | 1 - .../win_apt_winnti_mal_hk_jan20.yml | 1 - .../win_apt_winnti_pipemon.yml | 1 - .../process_creation/win_apt_zxshell.yml | 2 -- .../win_attrib_hiding_files.yml | 1 - .../win_bad_opsec_sacrificial_processes.yml | 1 - .../win_bypass_squiblytwo.yml | 1 - .../win_change_default_file_association.yml | 1 - .../process_creation/win_cmdkey_recon.yml | 1 - .../win_cmstp_com_object_access.yml | 2 -- .../win_commandline_path_traversal.yml | 1 - .../win_control_panel_item.yml | 1 - ...g_sensitive_files_with_credential_data.yml | 1 - ..._credential_access_via_password_filter.yml | 1 - .../process_creation/win_crime_fireball.yml | 1 - .../win_crime_maze_ransomware.yml | 1 - .../win_data_compressed_with_rar.yml | 2 -- .../win_dns_exfiltration_tools_execution.yml | 3 --- .../win_encoded_frombase64string.yml | 1 - .../process_creation/win_encoded_iex.yml | 1 - ...ltration_and_tunneling_tools_execution.yml | 1 - .../win_exploit_cve_2015_1641.yml | 1 - .../win_exploit_cve_2017_0261.yml | 2 -- .../win_exploit_cve_2017_11882.yml | 2 -- .../win_exploit_cve_2017_8759.yml | 2 -- .../win_exploit_cve_2019_1378.yml | 1 - .../win_exploit_cve_2020_10189.yml | 2 -- .../win_exploit_cve_2020_1048.yml | 1 - .../win_file_permission_modifications.yml | 3 +-- .../win_grabbing_sensitive_hives_via_reg.yml | 1 - .../process_creation/win_hack_bloodhound.yml | 3 --- .../process_creation/win_hack_koadic.yml | 4 +-- .../process_creation/win_hack_rubeus.yml | 2 -- .../win_hack_secutyxploded.yml | 2 -- rules/windows/process_creation/win_hh_chm.yml | 4 +-- .../win_hiding_malware_in_fonts_folder.yml | 1 - .../win_hktl_createminidump.yml | 1 - .../process_creation/win_html_help_spawn.yml | 1 - .../process_creation/win_hwp_exploits.yml | 2 -- .../win_impacket_lateralization.yml | 2 -- .../win_install_reg_debugger_backdoor.yml | 1 - .../process_creation/win_interactive_at.yml | 1 - ...obfuscation_obfuscated_iex_commandline.yml | 1 - .../process_creation/win_lethalhta.yml | 2 -- ...n_local_system_owner_account_discovery.yml | 1 - .../win_lolbas_execution_of_wuauclt.yml | 1 - .../process_creation/win_lsass_dump.yml | 1 - .../process_creation/win_mal_adwind.yml | 1 - .../process_creation/win_malware_emotet.yml | 1 - .../process_creation/win_malware_notpetya.yml | 4 --- .../process_creation/win_malware_qbot.yml | 2 -- .../process_creation/win_malware_ryuk.yml | 1 - .../win_malware_script_dropper.yml | 2 -- .../process_creation/win_malware_wannacry.yml | 1 - .../win_mavinject_proc_inj.yml | 1 - ...r_cobaltstrike_getsystem_service_start.yml | 1 - .../win_mimikatz_command_line.yml | 1 - .../win_mmc20_lateral_movement.yml | 1 - .../process_creation/win_mmc_spawn_shell.yml | 1 - ..._modif_of_services_for_via_commandline.yml | 2 -- .../process_creation/win_mshta_javascript.yml | 1 - .../win_mshta_spawn_shell.yml | 1 - .../process_creation/win_net_user_add.yml | 1 - .../win_netsh_allow_port_rdp.yml | 1 - .../process_creation/win_netsh_fw_add.yml | 1 - .../win_netsh_fw_add_susp_image.yml | 1 - .../win_new_service_creation.yml | 1 - .../win_non_interactive_powershell.yml | 1 - .../process_creation/win_office_shell.yml | 1 - ..._office_spawn_exe_from_users_directory.yml | 1 - .../win_plugx_susp_exe_locations.yml | 1 - .../win_possible_applocker_bypass.yml | 4 --- ...ation_via_service_registry_permissions.yml | 1 - .../win_powershell_amsi_bypass.yml | 1 - .../win_powershell_disable_windef_av.yml | 1 - .../win_powershell_dll_execution.yml | 1 - .../win_powershell_downgrade_attack.yml | 1 - .../win_powershell_download.yml | 1 - ...in_powershell_reverse_shell_connection.yml | 1 - ...ershell_suspicious_parameter_variation.yml | 1 - .../win_powershell_xor_commandline.yml | 1 - .../win_powersploit_empire_schtasks.yml | 2 -- .../win_proc_wrong_parent.yml | 1 - .../win_process_dump_rundll32_comsvcs.yml | 1 - .../process_creation/win_psexesvc_start.yml | 1 - .../win_redmimicry_winnti_proc.yml | 1 - .../win_remote_powershell_session_process.yml | 1 - .../process_creation/win_renamed_binary.yml | 1 - .../win_renamed_binary_highly_relevant.yml | 1 - .../process_creation/win_renamed_jusched.yml | 1 - .../process_creation/win_renamed_paexec.yml | 1 - .../win_renamed_powershell.yml | 1 - .../process_creation/win_renamed_procdump.yml | 1 - .../process_creation/win_renamed_psexec.yml | 1 - .../win_run_powershell_script_from_ads.yml | 1 - .../win_sdbinst_shim_persistence.yml | 1 - .../win_service_execution.yml | 1 - .../win_shadow_copies_access_symlink.yml | 1 - .../win_shell_spawn_mshta.yml | 1 - .../win_shell_spawn_susp_program.yml | 1 - .../windows/process_creation/win_spn_enum.yml | 1 - ...uthenticated_privileged_console_access.yml | 1 - .../process_creation/win_susp_bcdedit.yml | 1 - .../win_susp_child_process_as_system_.yml | 1 - .../win_susp_compression_params.yml | 3 --- .../win_susp_comsvcs_procdump.yml | 1 - .../win_susp_control_dll_load.yml | 1 - .../win_susp_copy_lateral_movement.yml | 1 - .../process_creation/win_susp_covenant.yml | 3 +-- .../win_susp_crackmapexec_execution.yml | 1 - ...sp_crackmapexec_powershell_obfuscation.yml | 2 -- .../windows/process_creation/win_susp_csc.yml | 1 - .../process_creation/win_susp_csc_folder.yml | 1 - .../win_susp_dctask64_proc_inject.yml | 1 - .../win_susp_devtoolslauncher.yml | 3 +-- ...susp_direct_asep_reg_keys_modification.yml | 1 - .../win_susp_disable_ie_features.yml | 1 - .../process_creation/win_susp_ditsnap.yml | 1 - .../windows/process_creation/win_susp_dnx.yml | 1 - .../win_susp_double_extension.yml | 1 - .../process_creation/win_susp_dxcap.yml | 1 - .../win_susp_eventlog_clear.yml | 1 - .../win_susp_execution_path_webserver.yml | 1 - .../win_susp_file_characteristics.yml | 2 -- .../windows/process_creation/win_susp_gup.yml | 1 - .../win_susp_iss_module_install.yml | 1 - .../process_creation/win_susp_msiexec_cwd.yml | 1 - .../process_creation/win_susp_ntdsutil.yml | 1 - .../process_creation/win_susp_odbcconf.yml | 2 -- .../process_creation/win_susp_openwith.yml | 1 - .../win_susp_outlook_temp.yml | 1 - .../process_creation/win_susp_pcwutl.yml | 2 -- .../win_susp_powershell_empire_launch.yml | 1 - .../win_susp_powershell_empire_uac_bypass.yml | 1 - .../win_susp_powershell_enc_cmd.yml | 1 - .../win_susp_powershell_encoded_param.yml | 1 - .../win_susp_powershell_hidden_b64_cmd.yml | 1 - .../win_susp_powershell_parent_combo.yml | 1 - .../win_susp_powershell_parent_process.yml | 1 - .../win_susp_procdump_lsass.yml | 3 +-- .../process_creation/win_susp_ps_appdata.yml | 1 - .../win_susp_ps_downloadfile.yml | 1 - .../process_creation/win_susp_rar_flags.yml | 2 -- .../win_susp_rasdial_activity.yml | 1 - .../win_susp_recon_activity.yml | 1 - .../win_susp_regsvr32_anomalies.yml | 2 -- .../win_susp_regsvr32_flags_anomaly.yml | 1 - .../win_susp_rundll32_activity.yml | 2 -- .../win_susp_rundll32_by_ordinal.yml | 2 -- .../win_susp_schtask_creation.yml | 1 - .../win_susp_script_execution.yml | 2 +- .../win_susp_service_path_modification.yml | 1 - .../win_susp_shell_spawn_from_mssql.yml | 1 - .../process_creation/win_susp_svchost.yml | 1 - .../win_susp_sysvol_access.yml | 1 - .../win_susp_tscon_rdp_redirect.yml | 1 - .../process_creation/win_susp_winrar_dmp.yml | 10 +++----- .../win_susp_winrar_execution.yml | 2 -- .../win_task_folder_evasion.yml | 2 -- .../process_creation/win_uac_cmstp.yml | 2 -- .../process_creation/win_uac_fodhelper.yml | 1 - .../process_creation/win_uac_wsreset.yml | 1 - .../win_webshell_detection.yml | 2 -- .../win_webshell_recon_detection.yml | 2 -- .../process_creation/win_webshell_spawn.yml | 1 - .../win_win10_sched_task_0day.yml | 1 - ..._wmi_backdoor_exchange_transport_agent.yml | 1 - ..._wmi_persistence_script_event_consumer.yml | 1 - .../win_wmi_spwns_powershell.yml | 10 +++----- .../win_wsreset_uac_bypass.yml | 1 - .../win_xsl_script_processing.yml | 1 - .../registry_event_apt_chafer_mar18.yml | 25 ++++++++----------- .../registry_event_defender_disabled.yml | 1 - .../registry_event_defender_exclusions.yml | 1 - ...egistry_event_dns_serverlevelplugindll.yml | 1 - .../registry_event_mal_adwind.yml | 9 +++---- .../registry_event_net_ntlm_downgrade.yml | 1 - ...registry_event_stickykey_like_backdoor.yml | 15 ++++++----- .../registry_event_uac_bypass_eventvwr.yml | 11 ++++---- .../registry_event/sysmon_apt_leviathan.yml | 7 +++--- .../sysmon_asep_reg_keys_modification.yml | 7 +++--- .../sysmon_cmstp_execution_by_registry.yml | 13 +++++----- .../registry_event/sysmon_dhcp_calloutdll.yml | 1 - ...y_events_logging_adding_reg_key_minint.yml | 1 - .../registry_event/sysmon_hack_wce_reg.yml | 1 - ...gon_scripts_userinitmprlogonscript_reg.yml | 1 - .../sysmon_narrator_feedback_persistance.yml | 1 - ..._dll_added_to_appcertdlls_registry_key.yml | 1 - ...dll_added_to_appinit_dlls_registry_key.yml | 7 +++--- ...ysmon_registry_persistence_key_linking.yml | 7 +++--- ...mon_registry_trust_record_modification.yml | 1 - .../sysmon_ssp_added_lsa_config.yml | 1 - .../sysmon_susp_download_run_key.yml | 1 - .../sysmon_susp_lsass_dll_load.yml | 1 - .../sysmon_susp_reg_persist_explorer_run.yml | 2 -- .../sysmon_susp_run_key_img_folder.yml | 7 +++--- .../sysmon_susp_service_installed.yml | 1 - .../sysmon_uac_bypass_sdclt.yml | 11 ++++---- .../sysmon_win_reg_persistence.yml | 1 - .../sysmon_wmi_event_subscription.yml | 1 - .../wmi_event/sysmon_wmi_susp_scripting.yml | 7 +++--- 497 files changed, 81 insertions(+), 692 deletions(-) diff --git a/rules/apt/apt_silence_downloader_v3.yml b/rules/apt/apt_silence_downloader_v3.yml index faeea86db..0f5fba3e4 100644 --- a/rules/apt/apt_silence_downloader_v3.yml +++ b/rules/apt/apt_silence_downloader_v3.yml @@ -31,7 +31,6 @@ level: high tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one - attack.discovery - attack.t1057 - attack.t1082 diff --git a/rules/apt/apt_silence_eda.yml b/rules/apt/apt_silence_eda.yml index ad8aadcf9..8f4d5ef82 100644 --- a/rules/apt/apt_silence_eda.yml +++ b/rules/apt/apt_silence_eda.yml @@ -32,10 +32,8 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.command_and_control - attack.t1071.004 - - attack.t1071 # an old one - attack.t1572 - attack.impact - attack.t1529 diff --git a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml index 6d3e484db..965007fc9 100644 --- a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_config_disable_recording.yml b/rules/cloud/aws/aws_config_disable_recording.yml index 71ff54910..6a0d9e6a3 100644 --- a/rules/cloud/aws/aws_config_disable_recording.yml +++ b/rules/cloud/aws/aws_config_disable_recording.yml @@ -21,4 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_ec2_startup_script_change.yml b/rules/cloud/aws/aws_ec2_startup_script_change.yml index 1e8aa959c..b483c2036 100644 --- a/rules/cloud/aws/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/aws_ec2_startup_script_change.yml @@ -22,8 +22,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.t1059.003 - attack.t1059.004 - - attack.t1059 # an old one - - attack.t1064 # an old one diff --git a/rules/cloud/aws/aws_guardduty_disruption.yml b/rules/cloud/aws/aws_guardduty_disruption.yml index d7500a063..259414a9f 100644 --- a/rules/cloud/aws/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/aws_guardduty_disruption.yml @@ -21,4 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml index 2306c3222..14bbc35e5 100644 --- a/rules/cloud/aws/aws_root_account_usage.yml +++ b/rules/cloud/aws/aws_root_account_usage.yml @@ -22,4 +22,3 @@ level: medium tags: - attack.privilege_escalation - attack.t1078.004 - - attack.t1078 # an old one diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index 89030ee2d..9bc2d54c2 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -28,6 +28,5 @@ falsepositives: level: medium tags: - attack.s0003 - - attack.t1156 # an old one - attack.persistence - attack.t1546.004 diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 6d2657ca7..71ce7553c 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -28,5 +28,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.006 diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 8d2d96b09..0cc93ec67 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -19,6 +19,5 @@ falsepositives: - Admin activity level: medium tags: - - attack.t1136 # an old one - attack.t1136.001 - attack.persistence diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 018008956..028aac4f9 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.006 diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml index dfaa5a4ef..2b1d7f6cd 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml @@ -14,7 +14,6 @@ logsource: tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 # an old one - attack.t1548.003 - cve.2019.14287 detection: diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml index 96afaf522..160c8094b 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml @@ -18,7 +18,6 @@ logsource: tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 # an old one - attack.t1548.003 - cve.2019.14287 detection: diff --git a/rules/linux/macos/process_creation/macos_create_account.yml b/rules/linux/macos/process_creation/macos_create_account.yml index b5e7862d9..573af8117 100644 --- a/rules/linux/macos/process_creation/macos_create_account.yml +++ b/rules/linux/macos/process_creation/macos_create_account.yml @@ -21,6 +21,5 @@ falsepositives: - Legitimate administration activities level: low tags: - - attack.t1136 # an old one - attack.t1136.001 - attack.persistence diff --git a/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml index 655b9528e..096cbe2e9 100644 --- a/rules/linux/other/lnx_security_tools_disabling_syslog.yml +++ b/rules/linux/other/lnx_security_tools_disabling_syslog.yml @@ -13,7 +13,6 @@ references: tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 # an old one logsource: product: linux service: syslog diff --git a/rules/linux/process_creation/lnx_security_tools_disabling.yml b/rules/linux/process_creation/lnx_security_tools_disabling.yml index 56bc28af5..0455235a2 100644 --- a/rules/linux/process_creation/lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/lnx_security_tools_disabling.yml @@ -10,7 +10,6 @@ references: tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 # an old one logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/lnx_webshell_detection.yml b/rules/linux/process_creation/lnx_webshell_detection.yml index dcef68df3..89ed46e9a 100644 --- a/rules/linux/process_creation/lnx_webshell_detection.yml +++ b/rules/linux/process_creation/lnx_webshell_detection.yml @@ -8,7 +8,6 @@ date: 2021/10/15 author: Florian Roth tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 logsource: product: linux diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 2c261f2d9..2b1d1ff0d 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1146 # an old one - attack.t1070.003 diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index d7735944d..a3c03bf52 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -29,9 +29,6 @@ tags: - attack.discovery - attack.credential_access - attack.collection - - attack.t1087 # an old one - attack.t1087.001 - - attack.t1003 # an old one - - attack.t1081 # an old one - attack.t1552.001 - attack.t1005 diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index b3dfc8fc4..35510c62e 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -27,7 +27,5 @@ level: high tags: - attack.credential_access - attack.defense_evasion - - attack.t1130 # an old one - attack.t1553.004 - - attack.t1145 # an old one - attack.t1552.004 diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 510ec7346..d90b34743 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index fc0c76fa9..bdedcfc76 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -24,5 +24,4 @@ tags: - attack.impact - attack.t1495 - attack.t1529 - - attack.t1492 # an old one - attack.t1565.001 diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index 9849c2364..4e35a0dd1 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -23,9 +23,6 @@ level: medium tags: - attack.defense_evasion - attack.impact - - attack.t1107 # an old one - attack.t1070.004 - - attack.t1488 # an old one - attack.t1561.001 - - attack.t1487 # an old one - attack.t1561.002 diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index 27c70acec..bf429a053 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -22,5 +22,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1139 # an old one - attack.t1552.003 diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index 0a57541c9..4d579b008 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -21,6 +21,5 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 - attack.t1098 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index e1b6d7684..dffc9bced 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -30,7 +30,5 @@ tags: - attack.impact - attack.t1490 - attack.t1505 - - attack.t1493 # an old one - attack.t1565.002 - - attack.t1168 # an old one - attack.t1053 diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index a80bbfb5b..138a0f3d4 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -30,5 +30,4 @@ tags: - attack.exfiltration - attack.t1074 - attack.t1105 - - attack.t1002 # an old one - attack.t1560.001 diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 497ab0b5f..4d0edd9e0 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -19,8 +19,6 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 diff --git a/rules/network/net_firewall_high_dns_bytes_out.yml b/rules/network/net_firewall_high_dns_bytes_out.yml index afe5e839e..1b5e3bf9f 100644 --- a/rules/network/net_firewall_high_dns_bytes_out.yml +++ b/rules/network/net_firewall_high_dns_bytes_out.yml @@ -7,7 +7,6 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 logsource: category: firewall diff --git a/rules/network/net_firewall_high_dns_requests_rate.yml b/rules/network/net_firewall_high_dns_requests_rate.yml index 843c080a7..b57f3feca 100644 --- a/rules/network/net_firewall_high_dns_requests_rate.yml +++ b/rules/network/net_firewall_high_dns_requests_rate.yml @@ -7,10 +7,8 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: category: firewall diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml index 193bfcdff..86cd973f6 100644 --- a/rules/network/net_high_dns_bytes_out.yml +++ b/rules/network/net_high_dns_bytes_out.yml @@ -7,7 +7,6 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 logsource: category: dns diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml index da8727716..20dd6a519 100644 --- a/rules/network/net_high_dns_requests_rate.yml +++ b/rules/network/net_high_dns_requests_rate.yml @@ -7,10 +7,8 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: category: dns diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml index e8166edca..a5e92db2e 100644 --- a/rules/network/net_high_null_records_requests_rate.yml +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -17,8 +17,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml index fac27dab9..95c2ea626 100644 --- a/rules/network/net_high_txt_records_requests_rate.yml +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -17,8 +17,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index d07c4f8ab..a7c46dd46 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index c235127de..76cbf9663 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -18,8 +18,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 9ea3d56d2..91533cedc 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_telegram_api.yml b/rules/network/net_susp_telegram_api.yml index 4e813ed87..b37de31a3 100644 --- a/rules/network/net_susp_telegram_api.yml +++ b/rules/network/net_susp_telegram_api.yml @@ -21,5 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1102 # an old one - attack.t1102.002 \ No newline at end of file diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index 316835f92..efe93efe0 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -9,7 +9,6 @@ date: 2020/05/03 modified: 2021/11/14 tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 - attack.t1082 logsource: diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index b586d3831..568d8a0f6 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -48,8 +48,6 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1035 # an old one - attack.t1047 - - attack.t1053 # an old one - attack.t1053.002 - attack.t1569.002 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 4621e4f36..d9dfdcfbc 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -36,5 +36,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1004 # an old one - attack.t1547.004 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 4b80f9055..87868b483 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -12,7 +12,6 @@ logsource: service: dns product: zeek tags: - - attack.t1035 # an old one - attack.t1569.002 - attack.t1496 detection: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 06b8a5801..0e6a8c2e1 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -11,9 +11,8 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' tags: - - attack.t1094 # an old one - attack.t1095 - - attack.t1043 + - attack.t1571 - attack.command_and_control logsource: product: zeek diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 8b2f1a02f..1f41a07f9 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -5,7 +5,6 @@ description: Detects connections from routable IPs to an RDP listener - which is references: - https://attack.mitre.org/techniques/T1021/001/ tags: - - attack.t1021 # an old one - attack.t1021.001 author: 'Josh Brower @DefensiveDepth' date: 2020/08/22 diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 7451b3b31..952010ffb 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -22,7 +22,6 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1053 # an old one - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 98ad4d204..f0b7975ae 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -23,7 +23,6 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 74f765b4a..e9b886aa5 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -39,5 +39,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 13162d6a0..2093f2dfd 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -30,5 +30,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 848b04118..ed9fc8db2 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -27,7 +27,6 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 5b2517060..173944db0 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -22,5 +22,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1208 # an old one - attack.t1558.003 diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index 56869f0ef..ad78cd5f8 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -23,7 +23,5 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.exfiltration - attack.t1567.002 - - attack.t1048 # an old one diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 65b74bef3..eea3ebbfc 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -23,4 +23,3 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 46d5fcc7f..7301303a0 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -30,4 +30,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one + \ No newline at end of file diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index a3b19690c..43553af44 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -25,4 +25,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index 4c45e33c7..01d606b57 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 6ceee22b7..e3e605417 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -25,4 +25,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 739a09478..f5374e960 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -113,4 +113,3 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index d30f7d32b..268fd3abb 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -62,4 +62,3 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index d797c734d..a619b015a 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -27,4 +27,3 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml index a36a0909f..7f027bfb2 100644 --- a/rules/proxy/proxy_empire_ua_uri_combos.yml +++ b/rules/proxy/proxy_empire_ua_uri_combos.yml @@ -28,4 +28,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index ab89ee9ef..a86801b78 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -30,4 +30,3 @@ tags: - attack.credential_access - attack.t1528 - attack.t1552.001 - - attack.t1081 # an old one diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml index 42813f313..d9b6569a2 100644 --- a/rules/proxy/proxy_pwndrop.yml +++ b/rules/proxy/proxy_pwndrop.yml @@ -23,7 +23,5 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.001 - attack.t1102.003 - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index b731474b6..9135f5e4c 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -27,8 +27,6 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.001 - attack.t1102.003 - attack.defense_evasion - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index a12c9e45d..3277e1224 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -24,7 +24,5 @@ tags: - attack.t1189 - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index c961ec2c9..c8803a0a1 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -32,6 +32,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.002 - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index 2f97ae7da..41b3aa242 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -20,5 +20,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.g0010 diff --git a/rules/proxy/proxy_ursnif_malware_c2_url.yml b/rules/proxy/proxy_ursnif_malware_c2_url.yml index d9f0aa5df..c0068e710 100644 --- a/rules/proxy/proxy_ursnif_malware_c2_url.yml +++ b/rules/proxy/proxy_ursnif_malware_c2_url.yml @@ -30,9 +30,7 @@ level: critical tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.command_and_control - attack.t1071.001 diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index e2fe9853d..a7c208d46 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -18,5 +18,4 @@ falsepositives: level: high tags: - attack.impact - - attack.t1499 # an old one - attack.t1499.004 diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index 0ca683c20..40b443f54 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -21,7 +21,6 @@ falsepositives: - Unknown level: critical tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - attack.persistence diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index e2715da28..ad25c59e9 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -24,7 +24,6 @@ falsepositives: - Unknown level: high tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - cve.2020.14882 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index 5663b39d8..98eb7aa2e 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -30,7 +30,6 @@ falsepositives: - Unknown level: high tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - cve.2020.3452 \ No newline at end of file diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index 34e6786a6..7a66f2a83 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -24,5 +24,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index b51f2b830..b96d0af9f 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -10,7 +10,6 @@ date: 2021/03/03 modified: 2021/08/09 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - attack.collection - attack.t1114 diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index 7dc07c128..7e38813c7 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -33,5 +33,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/builtin/application/win_susp_backup_delete.yml b/rules/windows/builtin/application/win_susp_backup_delete.yml index b7b91a54c..48063418f 100644 --- a/rules/windows/builtin/application/win_susp_backup_delete.yml +++ b/rules/windows/builtin/application/win_susp_backup_delete.yml @@ -10,7 +10,6 @@ date: 2017/05/12 modified: 2021/10/13 tags: - attack.defense_evasion - - attack.t1107 # an old one - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml index a128d21dc..e5e4e8d67 100644 --- a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml @@ -3,7 +3,6 @@ id: 6c82cf5c-090d-4d57-9188-533577631108 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1211 - attack.t1562.001 status: experimental diff --git a/rules/windows/builtin/security/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml index 017048ad8..c5798b2c3 100644 --- a/rules/windows/builtin/security/win_account_discovery.yml +++ b/rules/windows/builtin/security/win_account_discovery.yml @@ -5,7 +5,6 @@ references: - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 status: experimental author: Samir Bousseaden diff --git a/rules/windows/builtin/security/win_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_ad_object_writedac_access.yml index 779fe0302..2f3e22891 100644 --- a/rules/windows/builtin/security/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/security/win_ad_object_writedac_access.yml @@ -24,5 +24,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1222 # an old one - attack.t1222.001 diff --git a/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml index f87dba3b8..c67999e5b 100644 --- a/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml @@ -31,5 +31,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.006 diff --git a/rules/windows/builtin/security/win_ad_user_enumeration.yml b/rules/windows/builtin/security/win_ad_user_enumeration.yml index 85a1ac967..37a865e95 100644 --- a/rules/windows/builtin/security/win_ad_user_enumeration.yml +++ b/rules/windows/builtin/security/win_ad_user_enumeration.yml @@ -11,7 +11,6 @@ references: - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_admin_rdp_login.yml b/rules/windows/builtin/security/win_admin_rdp_login.yml index 1ff0216df..a2186be2b 100644 --- a/rules/windows/builtin/security/win_admin_rdp_login.yml +++ b/rules/windows/builtin/security/win_admin_rdp_login.yml @@ -5,7 +5,6 @@ references: - https://car.mitre.org/wiki/CAR-2016-04-005 tags: - attack.lateral_movement - - attack.t1078 # an old one - attack.t1078.001 - attack.t1078.002 - attack.t1078.003 diff --git a/rules/windows/builtin/security/win_admin_share_access.yml b/rules/windows/builtin/security/win_admin_share_access.yml index fd78ca8a7..3d8dc32ec 100644 --- a/rules/windows/builtin/security/win_admin_share_access.yml +++ b/rules/windows/builtin/security/win_admin_share_access.yml @@ -21,5 +21,4 @@ falsepositives: level: low tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml index ab46a0015..5667e9467 100644 --- a/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml @@ -86,5 +86,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/builtin/security/win_alert_ruler.yml b/rules/windows/builtin/security/win_alert_ruler.yml index 071c57705..94c382c2f 100644 --- a/rules/windows/builtin/security/win_alert_ruler.yml +++ b/rules/windows/builtin/security/win_alert_ruler.yml @@ -15,7 +15,6 @@ tags: - attack.discovery - attack.execution - attack.t1087 - - attack.t1075 # an old one - attack.t1114 - attack.t1059 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml index b1b621bcf..5843d6bf9 100644 --- a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml +++ b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml @@ -10,15 +10,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 diff --git a/rules/windows/builtin/security/win_apt_wocao.yml b/rules/windows/builtin/security/win_apt_wocao.yml index fc8011516..8dcb9b26c 100644 --- a/rules/windows/builtin/security/win_apt_wocao.yml +++ b/rules/windows/builtin/security/win_apt_wocao.yml @@ -11,13 +11,10 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1036.004 - - attack.t1036 # an old one - attack.t1027 - attack.execution - attack.t1053.005 - - attack.t1053 # an old one - attack.t1059.001 - - attack.t1086 # an old one date: 2019/12/20 modified: 2021/09/19 logsource: diff --git a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml index 086feb2b2..252c8334c 100644 --- a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml @@ -9,7 +9,6 @@ references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: - attack.t1204 - - attack.t1193 # an old one - attack.t1566.001 - attack.execution - attack.initial_access diff --git a/rules/windows/builtin/security/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml index e0caff9b4..f45c6c860 100644 --- a/rules/windows/builtin/security/win_atsvc_task.yml +++ b/rules/windows/builtin/security/win_atsvc_task.yml @@ -24,7 +24,6 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1053 # an old one - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 diff --git a/rules/windows/builtin/security/win_dcsync.yml b/rules/windows/builtin/security/win_dcsync.yml index 70ec081b7..1c4d3086e 100644 --- a/rules/windows/builtin/security/win_dcsync.yml +++ b/rules/windows/builtin/security/win_dcsync.yml @@ -11,7 +11,6 @@ references: tags: - attack.credential_access - attack.s0002 - - attack.t1003 # an old one - attack.t1003.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_defender_bypass.yml b/rules/windows/builtin/security/win_defender_bypass.yml index 46345954a..a0196d1db 100644 --- a/rules/windows/builtin/security/win_defender_bypass.yml +++ b/rules/windows/builtin/security/win_defender_bypass.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/builtin/security/win_disable_event_logging.yml b/rules/windows/builtin/security/win_disable_event_logging.yml index 9f3b32e5c..1975bc806 100644 --- a/rules/windows/builtin/security/win_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_disable_event_logging.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.002 diff --git a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml index bf6c020e3..57ecd7d68 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml @@ -22,5 +22,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml index 07159fd3f..919d985b3 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_event_log_cleared.yml b/rules/windows/builtin/security/win_event_log_cleared.yml index 26deafd02..3bb242439 100644 --- a/rules/windows/builtin/security/win_event_log_cleared.yml +++ b/rules/windows/builtin/security/win_event_log_cleared.yml @@ -12,7 +12,6 @@ logsource: service: security product: windows tags: - - attack.t1107 # an old one - attack.t1070.001 detection: selection: diff --git a/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml index 5bd709c7d..6659a8c0c 100644 --- a/rules/windows/builtin/security/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/security/win_global_catalog_enumeration.yml @@ -9,7 +9,6 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml index ab7dfd2d3..031277636 100644 --- a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml @@ -27,5 +27,4 @@ level: high tags: - attack.persistence - attack.lateral_movement - - attack.t1053 # an old one - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml index 798069d92..312355ab0 100644 --- a/rules/windows/builtin/security/win_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_impacket_secretdump.yml @@ -9,7 +9,6 @@ references: - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml index acf2eb16b..a5a4abc1d 100644 --- a/rules/windows/builtin/security/win_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_lm_namedpipe.yml @@ -42,5 +42,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml index d1157daf3..0fd9ca77a 100644 --- a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_metasploit_authentication.yml b/rules/windows/builtin/security/win_metasploit_authentication.yml index a74b3aa9d..2addf4d35 100644 --- a/rules/windows/builtin/security/win_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_metasploit_authentication.yml @@ -9,7 +9,6 @@ references: - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml index 5fc1af96f..731069c17 100644 --- a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml @@ -12,7 +12,6 @@ date: 2018/03/20 modified: 2021/06/27 tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 # Windows Security Eventlog: Process Creation with Full Command Line diff --git a/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml index 021f753ba..989b884e6 100755 --- a/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml @@ -27,5 +27,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1023 # an old one - attack.t1547.009 diff --git a/rules/windows/builtin/security/win_not_allowed_rdp_access.yml b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml index 7b48f7705..8f200780d 100644 --- a/rules/windows/builtin/security/win_not_allowed_rdp_access.yml +++ b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml @@ -23,5 +23,4 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1076 # an old one - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_overpass_the_hash.yml b/rules/windows/builtin/security/win_overpass_the_hash.yml index a123ed2be..60edc2213 100644 --- a/rules/windows/builtin/security/win_overpass_the_hash.yml +++ b/rules/windows/builtin/security/win_overpass_the_hash.yml @@ -22,6 +22,5 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.s0002 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_pass_the_hash.yml b/rules/windows/builtin/security/win_pass_the_hash.yml index ca9d3f39c..ca13aa9cf 100644 --- a/rules/windows/builtin/security/win_pass_the_hash.yml +++ b/rules/windows/builtin/security/win_pass_the_hash.yml @@ -29,6 +29,5 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1075 # an old one - car.2016-04-004 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_pass_the_hash_2.yml b/rules/windows/builtin/security/win_pass_the_hash_2.yml index f70a26051..0fdadb4a1 100644 --- a/rules/windows/builtin/security/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/win_pass_the_hash_2.yml @@ -10,7 +10,6 @@ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) date: 2019/06/14 tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_protected_storage_service_access.yml b/rules/windows/builtin/security/win_protected_storage_service_access.yml index 29cea968c..006a8a330 100644 --- a/rules/windows/builtin/security/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/security/win_protected_storage_service_access.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.lateral_movement - - attack.t1021 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_rare_schtasks_creations.yml b/rules/windows/builtin/security/win_rare_schtasks_creations.yml index 4e25bed94..25a7a93ae 100644 --- a/rules/windows/builtin/security/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/security/win_rare_schtasks_creations.yml @@ -22,6 +22,5 @@ tags: - attack.execution - attack.privilege_escalation - attack.persistence - - attack.t1053 # an old one - car.2013-08-001 - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml index f6ddb6e44..26c9954fd 100644 --- a/rules/windows/builtin/security/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml @@ -7,7 +7,6 @@ date: 2019/01/28 modified: 2021/07/07 tags: - attack.lateral_movement - - attack.t1076 # an old one - car.2013-07-002 - attack.t1021.001 status: experimental diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index c56e62128..5f127ce93 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -12,8 +12,6 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.lateral_movement - - attack.t1076 # an old one - - attack.t1090 # an old one - attack.t1090.001 - attack.t1090.002 - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml index 9f5b22151..05f1fe83e 100644 --- a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml @@ -7,7 +7,6 @@ references: tags: - attack.lateral_movement - attack.privilege_escalation - - attack.t1208 # an old one - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 diff --git a/rules/windows/builtin/security/win_remote_powershell_session.yml b/rules/windows/builtin/security/win_remote_powershell_session.yml index 3de3b459a..0fd7f3726 100644 --- a/rules/windows/builtin/security/win_remote_powershell_session.yml +++ b/rules/windows/builtin/security/win_remote_powershell_session.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_scheduled_task_deletion.yml index 9150ab1a9..865a9c845 100644 --- a/rules/windows/builtin/security/win_scheduled_task_deletion.yml +++ b/rules/windows/builtin/security/win_scheduled_task_deletion.yml @@ -7,7 +7,6 @@ date: 2021/01/22 tags: - attack.execution - attack.privilege_escalation - - attack.t1053 # an old one - car.2013-08-001 - attack.t1053.005 references: diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index d311d40f9..ca29a8a52 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -13,13 +13,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml index 3f798a692..b3b0a67c2 100644 --- a/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -16,8 +16,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1003 - - attack.t1035 # an old one - - attack.t1050 # an old one - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 17df9ffed..aa946c489 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -13,7 +13,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 514a0ca97..900c55750 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -14,7 +14,6 @@ references: tags: - attack.persistence - attack.privilege_escalation - - attack.t1084 # an old one - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_add_sid_history.yml b/rules/windows/builtin/security/win_susp_add_sid_history.yml index 9f0b7fae5..60d809e44 100644 --- a/rules/windows/builtin/security/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_susp_add_sid_history.yml @@ -9,7 +9,6 @@ date: 2017/02/19 tags: - attack.persistence - attack.privilege_escalation - - attack.t1178 # an old one - attack.t1134.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml index d2f352e6a..78d011da9 100644 --- a/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml @@ -7,7 +7,6 @@ date: 2019/12/03 modified: 2020/08/23 tags: - attack.defense_evasion - - attack.t1009 # an old one - attack.t1027.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_eventlog_cleared.yml b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml index 47b1592f9..40a1bd711 100644 --- a/rules/windows/builtin/security/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml @@ -13,7 +13,6 @@ date: 2017/01/10 modified: 2022/01/07 tags: - attack.defense_evasion - - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml index 3084f30bb..c38a5a2f0 100644 --- a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml +++ b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml @@ -25,6 +25,5 @@ falsepositives: - Companies, who may use these default LDAP-Attributes for personal information level: high tags: - - attack.t1071 # an old one - attack.t1001.003 - attack.command_and_control diff --git a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml index ec3eaac7c..d44cab80b 100644 --- a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml @@ -9,7 +9,6 @@ date: 2019/10/31 modified: 2021/07/06 tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 - attack.t1136.002 logsource: diff --git a/rules/windows/builtin/security/win_susp_lsass_dump.yml b/rules/windows/builtin/security/win_susp_lsass_dump.yml index 8da6d3706..9046f32d1 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump.yml @@ -9,7 +9,6 @@ references: - https://twitter.com/jackcr/status/807385668833968128 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 6e367a645..af746fc30 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -10,7 +10,6 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - - attack.t1003 # an old one - car.2019-04-004 - attack.t1003.001 logsource: diff --git a/rules/windows/builtin/security/win_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_susp_net_recon_activity.yml index 380774c5e..d4fd16e68 100644 --- a/rules/windows/builtin/security/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/security/win_susp_net_recon_activity.yml @@ -30,8 +30,6 @@ falsepositives: level: high tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 - - attack.t1069 # an old one - attack.t1069.002 - attack.s0039 diff --git a/rules/windows/builtin/security/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml index 5377a73ab..2934d2fcf 100644 --- a/rules/windows/builtin/security/win_susp_psexec.yml +++ b/rules/windows/builtin/security/win_susp_psexec.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml index 91d3b5b1e..3f7576a13 100644 --- a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml @@ -6,7 +6,6 @@ references: - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity tags: - attack.credential_access - - attack.t1208 # an old one - attack.t1558.003 description: Detects service ticket requests using RC4 encryption type author: Florian Roth diff --git a/rules/windows/builtin/security/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml index 1fd50a283..b685533d3 100644 --- a/rules/windows/builtin/security/win_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/win_susp_rottenpotato.yml @@ -10,7 +10,6 @@ modified: 2021/07/07 tags: - attack.privilege_escalation - attack.credential_access - - attack.t1171 # an old one - attack.t1557.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_sdelete.yml b/rules/windows/builtin/security/win_susp_sdelete.yml index a01737771..d53bd9789 100644 --- a/rules/windows/builtin/security/win_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_susp_sdelete.yml @@ -28,9 +28,7 @@ level: medium tags: - attack.impact - attack.defense_evasion - - attack.t1107 # an old one - attack.t1070.004 - - attack.t1066 # an old one - attack.t1027.005 - attack.t1485 - attack.t1553.002 diff --git a/rules/windows/builtin/security/win_susp_time_modification.yml b/rules/windows/builtin/security/win_susp_time_modification.yml index d518bd8a7..73052f65d 100644 --- a/rules/windows/builtin/security/win_susp_time_modification.yml +++ b/rules/windows/builtin/security/win_susp_time_modification.yml @@ -29,5 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1099 # an old one - attack.t1070.006 diff --git a/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml index a7df9e611..8f331063c 100644 --- a/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml @@ -26,5 +26,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1208 # an old one - attack.t1558.003 diff --git a/rules/windows/builtin/security/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml index af7b98f47..433ea4c5b 100644 --- a/rules/windows/builtin/security/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_svcctl_remote_service.yml @@ -24,5 +24,4 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml index f8b084ce8..75bd3074c 100644 --- a/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index f243911f0..45242a31d 100644 --- a/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -7,7 +7,6 @@ references: tags: - attack.lateral_movement - attack.privilege_escalation - - attack.t1208 # an old one - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 diff --git a/rules/windows/builtin/security/win_user_creation.yml b/rules/windows/builtin/security/win_user_creation.yml index 69521c42f..a16ebf7a9 100644 --- a/rules/windows/builtin/security/win_user_creation.yml +++ b/rules/windows/builtin/security/win_user_creation.yml @@ -25,5 +25,4 @@ falsepositives: level: low tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_user_driver_loaded.yml b/rules/windows/builtin/security/win_user_driver_loaded.yml index 98e247108..45b5f6218 100644 --- a/rules/windows/builtin/security/win_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_user_driver_loaded.yml @@ -36,6 +36,5 @@ falsepositives: - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' level: medium tags: - - attack.t1089 # an old one - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml index 189973a8a..1cb7b91a1 100755 --- a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml @@ -25,5 +25,4 @@ level: high tags: - attack.persistence - attack.g0010 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml index 47cf659f1..d196830fe 100644 --- a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml +++ b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml @@ -7,15 +7,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/11/30 diff --git a/rules/windows/builtin/system/win_apt_stonedrill.yml b/rules/windows/builtin/system/win_apt_stonedrill.yml index d85d40dc3..3d5ba49bf 100755 --- a/rules/windows/builtin/system/win_apt_stonedrill.yml +++ b/rules/windows/builtin/system/win_apt_stonedrill.yml @@ -23,5 +23,4 @@ level: high tags: - attack.persistence - attack.g0064 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_apt_turla_service_png.yml index 9c9a8a47c..1552f94a4 100644 --- a/rules/windows/builtin/system/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/system/win_apt_turla_service_png.yml @@ -22,5 +22,4 @@ level: critical tags: - attack.persistence - attack.g0010 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_hack_smbexec.yml b/rules/windows/builtin/system/win_hack_smbexec.yml index c733d9db6..cf1168712 100644 --- a/rules/windows/builtin/system/win_hack_smbexec.yml +++ b/rules/windows/builtin/system/win_hack_smbexec.yml @@ -27,7 +27,5 @@ level: critical tags: - attack.lateral_movement - attack.execution - - attack.t1077 # an old one - attack.t1021.002 - - attack.t1035 # an old one - attack.t1569.002 diff --git a/rules/windows/builtin/system/win_mal_creddumper.yml b/rules/windows/builtin/system/win_mal_creddumper.yml index 93f1da11a..fcd6b5124 100644 --- a/rules/windows/builtin/system/win_mal_creddumper.yml +++ b/rules/windows/builtin/system/win_mal_creddumper.yml @@ -10,13 +10,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 911ecf135..9a66aa229 100644 --- a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -10,7 +10,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml index b4604cec8..7e4c1b7cc 100644 --- a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml @@ -19,5 +19,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/builtin/system/win_rare_service_installs.yml b/rules/windows/builtin/system/win_rare_service_installs.yml index 5d8565399..045d35b73 100644 --- a/rules/windows/builtin/system/win_rare_service_installs.yml +++ b/rules/windows/builtin/system/win_rare_service_installs.yml @@ -21,6 +21,5 @@ level: low tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - car.2013-09-005 - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_susp_dhcp_config.yml index 8b5b0feb5..43daa66bb 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config.yml @@ -11,7 +11,6 @@ modified: 2021/10/13 author: Dimitrios Slamaris tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml index b6235d1e0..1a1d87fbd 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml @@ -10,7 +10,6 @@ date: 2017/05/15 modified: 2021/10/13 tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 author: 'Dimitrios Slamaris, @atc_project (fix)' logsource: diff --git a/rules/windows/builtin/system/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_susp_sam_dump.yml index ad4617a57..15cb35d23 100644 --- a/rules/windows/builtin/system/win_susp_sam_dump.yml +++ b/rules/windows/builtin/system/win_susp_sam_dump.yml @@ -21,5 +21,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml index 6ce32b306..114e701d5 100644 --- a/rules/windows/builtin/system/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/win_system_defender_disabled.yml @@ -13,7 +13,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml index 84e9d3330..bac81ee27 100644 --- a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml @@ -15,7 +15,6 @@ date: 2017/01/10 modified: 2022/01/07 tags: - attack.defense_evasion - - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/system/win_tool_psexec.yml b/rules/windows/builtin/system/win_tool_psexec.yml index 3528eaae2..d54e00e74 100644 --- a/rules/windows/builtin/system/win_tool_psexec.yml +++ b/rules/windows/builtin/system/win_tool_psexec.yml @@ -10,7 +10,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 2de4b87d0..a4d6f2a09 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -9,7 +9,6 @@ references: - https://tools.thehacker.recipes/mimikatz/modules tags: - attack.s0002 - - attack.t1003 # an old one - attack.lateral_movement - attack.credential_access - car.2013-07-001 diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 8b6e3dee2..1bc41f106 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -24,10 +24,8 @@ detection: condition: selection tags: - attack.defense_evasion - - attack.t1093 # an old one - attack.t1055.012 - attack.execution - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.007 - attack.t1218.005 diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index 94a3f1c7e..02934f765 100644 --- a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -6,7 +6,6 @@ references: - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - attack.defense_evasion - - attack.t1055 # an old one - attack.t1055.001 status: experimental author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 04829d335..041904e8b 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -20,5 +20,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1055 # an old one - attack.t1055.001 diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml index fbdb2e081..958d88cea 100644 --- a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -17,7 +17,6 @@ detection: condition: selection tags: - attack.credential_access - - attack.t1003 # an old one - attack.s0005 - attack.t1003.001 falsepositives: diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index 081bd0b01..b9e029f91 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -18,9 +18,7 @@ detection: tags: - attack.defense_evasion - attack.execution - - attack.t1085 # an old one - attack.t1218.011 - - attack.t1086 # an old one - attack.t1059.001 falsepositives: - Unknown diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index e8b7a5b87..dffb1092d 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -25,6 +25,5 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1027 # an old one - attack.s0139 - attack.t1564.004 diff --git a/rules/windows/deprecated/powershell_suspicious_download.yml b/rules/windows/deprecated/powershell_suspicious_download.yml index 72d831a05..dd2cc5a96 100644 --- a/rules/windows/deprecated/powershell_suspicious_download.yml +++ b/rules/windows/deprecated/powershell_suspicious_download.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/09/21 diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml index 90cf7c75d..f0f7d851c 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml index 080a241c5..bf4fd5226 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 logsource: diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml index 7f3e6b0a4..7c80fd93b 100644 --- a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -9,7 +9,6 @@ references: - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml index a0299149f..6b396ffe6 100644 --- a/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml @@ -11,10 +11,8 @@ references: tags: - attack.execution - attack.t1559.001 - - attack.t1175 # an old one - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 2817cc600..b9be2da02 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -13,13 +13,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 9593302ff..172b3e23f 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -13,7 +13,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index 1db8cc4d0..fbaec49c6 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -18,5 +18,4 @@ level: high tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml index cf9ea41cb..687865be6 100644 --- a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml +++ b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml @@ -14,7 +14,6 @@ modified: 2021/09/19 tags: - attack.execution - attack.t1218.011 - - attack.t1085 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_hack_dumpert.yml b/rules/windows/file_event/file_event_hack_dumpert.yml index ed3625dbb..74a805179 100755 --- a/rules/windows/file_event/file_event_hack_dumpert.yml +++ b/rules/windows/file_event/file_event_hack_dumpert.yml @@ -13,7 +13,6 @@ date: 2020/02/04 modified: 2021/09/21 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file_event/file_event_hktl_createminidump.yml b/rules/windows/file_event/file_event_hktl_createminidump.yml index 1aae4f62e..a0bacd772 100644 --- a/rules/windows/file_event/file_event_hktl_createminidump.yml +++ b/rules/windows/file_event/file_event_hktl_createminidump.yml @@ -13,7 +13,6 @@ modified: 2021/09/19 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml index 8c401e191..f8e747bbe 100644 --- a/rules/windows/file_event/file_event_lsass_dump.yml +++ b/rules/windows/file_event/file_event_lsass_dump.yml @@ -13,7 +13,6 @@ date: 2021/11/15 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_mal_adwind.yml b/rules/windows/file_event/file_event_mal_adwind.yml index bab320074..1e79f6b12 100644 --- a/rules/windows/file_event/file_event_mal_adwind.yml +++ b/rules/windows/file_event/file_event_mal_adwind.yml @@ -15,7 +15,6 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one logsource: category: file_event product: windows diff --git a/rules/windows/file_event/file_event_tool_psexec.yml b/rules/windows/file_event/file_event_tool_psexec.yml index 91a51e0af..d4e3d237b 100644 --- a/rules/windows/file_event/file_event_tool_psexec.yml +++ b/rules/windows/file_event/file_event_tool_psexec.yml @@ -13,7 +13,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index bc5be1459..49c10bff4 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -7,7 +7,6 @@ date: 2020/05/26 modified: 2021/10/28 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml index bd7f61751..4c07b444c 100755 --- a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml @@ -44,7 +44,6 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml index 72e876b02..330c16858 100755 --- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml @@ -19,5 +19,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml index c3bf8ebe7..3648d592e 100755 --- a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -8,7 +8,6 @@ date: 2019/10/22 modified: 2021/08/16 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file_event/sysmon_office_persistence.yml b/rules/windows/file_event/sysmon_office_persistence.yml index 2f67a1a0c..658789a7a 100644 --- a/rules/windows/file_event/sysmon_office_persistence.yml +++ b/rules/windows/file_event/sysmon_office_persistence.yml @@ -28,5 +28,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1137 # an old one - attack.t1137.006 diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml index ebda72aba..4f21221df 100755 --- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml @@ -114,5 +114,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml index 431d86d6a..3e8ca7f58 100755 --- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml @@ -22,5 +22,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index 3484536d1..584b374df 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -29,6 +29,5 @@ falsepositives: - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: high tags: - - attack.t1071 # an old one - attack.t1001.003 - attack.command_and_control diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index 7c44eaa61..119379751 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -25,5 +25,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1023 # an old one - attack.t1547.009 diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index ba0a1127c..d32dd30da 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -25,6 +25,5 @@ falsepositives: - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. level: medium tags: - - attack.t1089 # an old one - attack.t1562.001 - attack.defense_evasion diff --git a/rules/windows/file_event/sysmon_webshell_creation_detect.yml b/rules/windows/file_event/sysmon_webshell_creation_detect.yml index 655ddfe50..59a98326c 100755 --- a/rules/windows/file_event/sysmon_webshell_creation_detect.yml +++ b/rules/windows/file_event/sysmon_webshell_creation_detect.yml @@ -42,5 +42,4 @@ falsepositives: level: critical tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml index 5d736bc2e..4265bccba 100755 --- a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -18,6 +18,5 @@ falsepositives: - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) level: high tags: - - attack.t1084 # an old one - attack.t1546.003 - attack.persistence diff --git a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml index ddb733aac..c7586f7d6 100644 --- a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml @@ -13,7 +13,6 @@ status: test tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1073 # an old one - attack.t1574.002 detection: selection_dll: diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index edd59fc66..cdf9ee7d1 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -12,7 +12,6 @@ references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll tags: - - attack.t1086 # an old one - attack.t1059.001 - attack.execution logsource: diff --git a/rules/windows/image_load/sysmon_susp_fax_dll.yml b/rules/windows/image_load/sysmon_susp_fax_dll.yml index 39d0d7621..b49be7ca9 100644 --- a/rules/windows/image_load/sysmon_susp_fax_dll.yml +++ b/rules/windows/image_load/sysmon_susp_fax_dll.yml @@ -26,7 +26,5 @@ level: high tags: - attack.persistence - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1038 # an old one - attack.t1574.001 - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 726a87dd1..ff5ca7bfe 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index f8d5be4aa..6feea67a4 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index 36b37ccb3..2cb835dfa 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index c30288f94..fc8c755b5 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index 47a3b0424..649f5d309 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml index 54bf26095..f72268538 100755 --- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml index 802b5df9d..5b31fa62a 100755 --- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 90bfdd134..03fb50e95 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -65,5 +65,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 393876e94..0be23656b 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -28,7 +28,5 @@ level: high tags: - attack.persistence - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - - attack.t1038 # an old one - attack.t1574.001 diff --git a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml index d167e1004..831d31022 100755 --- a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml @@ -20,5 +20,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index 2b7a1420d..f0a9711a8 100755 --- a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -19,6 +19,5 @@ falsepositives: - Unknown (data set is too small; further testing needed) level: high tags: - - attack.t1084 # an old one - attack.t1546.003 - attack.persistence diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 90a124677..826dfffd3 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -17,7 +17,6 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 logsource: product: antivirus diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml index 177fb35a1..6bb0a471b 100644 --- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml @@ -46,4 +46,3 @@ tags: - attack.t1218 - attack.execution - attack.t1559.001 - - attack.t1175 # an old one diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml index 804ddbebe..90737fa59 100755 --- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml @@ -96,4 +96,3 @@ level: medium tags: - attack.command_and_control - attack.t1571 - - attack.t1043 # an old one diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml index b728c7afb..f0deb73c0 100755 --- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml @@ -11,7 +11,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index b42525448..a75bcb51b 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -12,7 +12,6 @@ tags: - attack.t1572 - attack.lateral_movement - attack.t1021.001 - - attack.t1076 # an old one - car.2013-07-002 logsource: category: network_connection diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index ade7b3075..6aaf10275 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -5,13 +5,6 @@ references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md -tags: - - attack.execution - - attack.t1559.001 - - attack.t1175 # an old one - - attack.defense_evasion - - attack.t1218.010 - - attack.t1117 # an old one author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 @@ -31,4 +24,9 @@ fields: - DestinationPort falsepositives: - unknown -level: high \ No newline at end of file +level: high +tags: + - attack.execution + - attack.t1559.001 + - attack.defense_evasion + - attack.t1218.010 \ No newline at end of file diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml index a3a16207b..e6eb9c587 100755 --- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml @@ -24,7 +24,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml index 2b32f35c2..97a5b9efd 100755 --- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml @@ -47,5 +47,4 @@ level: medium tags: - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one - attack.execution diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index 91da2c975..faf94a368 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -45,5 +45,4 @@ level: high tags: - attack.lateral_movement - attack.t1021.001 - - attack.t1076 # an old one - car.2013-07-002 diff --git a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml index 0566f2b82..fd7cba0ab 100755 --- a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml @@ -28,7 +28,5 @@ level: high tags: - attack.credential_access - attack.t1558 - - attack.t1208 # an old one - attack.lateral_movement - attack.t1550.003 - - attack.t1097 # an old one diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml index 915ef7f25..d275abb15 100755 --- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml @@ -29,4 +29,3 @@ tags: - attack.t1105 - attack.exfiltration - attack.t1567.001 - - attack.t1048 # an old one diff --git a/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml index 1e14e667d..9e28f7ab9 100644 --- a/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -32,10 +32,6 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1086 # an old one - - attack.t1064 # an old one - - attack.t1204 # an old one - - attack.t1035 # an old one - attack.t1204.002 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/other/dns_server/win_susp_dns_config.yml b/rules/windows/other/dns_server/win_susp_dns_config.yml index 6254caca7..9a90fb155 100644 --- a/rules/windows/other/dns_server/win_susp_dns_config.yml +++ b/rules/windows/other/dns_server/win_susp_dns_config.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/other/ntlm/win_susp_ntlm_auth.yml b/rules/windows/other/ntlm/win_susp_ntlm_auth.yml index 256ba6ea8..f6eb146e2 100644 --- a/rules/windows/other/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/other/ntlm/win_susp_ntlm_auth.yml @@ -10,7 +10,6 @@ date: 2018/06/08 modified: 2021/11/20 tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml index dd4e9f6c5..363596a2f 100644 --- a/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml @@ -21,6 +21,5 @@ falsepositives: level: low tags: - attack.persistence - - attack.t1053 # an old one - attack.s0111 - attack.t1053.005 diff --git a/rules/windows/other/windefend/win_alert_lsass_access.yml b/rules/windows/other/windefend/win_alert_lsass_access.yml index 0aef6a5d1..035db4d79 100644 --- a/rules/windows/other/windefend/win_alert_lsass_access.yml +++ b/rules/windows/other/windefend/win_alert_lsass_access.yml @@ -9,7 +9,6 @@ date: 2018/08/26 modified: 2021/11/13 tags: - attack.credential_access - - attack.t1003 # an old one # Defender Attack Surface Reduction - attack.t1003.001 logsource: diff --git a/rules/windows/other/windefend/win_defender_disabled.yml b/rules/windows/other/windefend/win_defender_disabled.yml index 14063f75e..0d6dbae81 100644 --- a/rules/windows/other/windefend/win_defender_disabled.yml +++ b/rules/windows/other/windefend/win_defender_disabled.yml @@ -10,7 +10,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_exclusions.yml b/rules/windows/other/windefend/win_defender_exclusions.yml index 3f31c3b69..b573e8111 100644 --- a/rules/windows/other/windefend/win_defender_exclusions.yml +++ b/rules/windows/other/windefend/win_defender_exclusions.yml @@ -9,7 +9,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml b/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml index 07d2196e8..4dbf4c800 100644 --- a/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml +++ b/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml @@ -12,7 +12,6 @@ tags: - attack.execution - attack.lateral_movement - attack.t1047 - - attack.t1035 # an old one - attack.t1569.002 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml index 0eeb90cc1..69ea17366 100644 --- a/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml @@ -8,7 +8,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 falsepositives: - Administrator actions diff --git a/rules/windows/other/wmi/win_wmi_persistence.yml b/rules/windows/other/wmi/win_wmi_persistence.yml index dcb47caef..9aa85c5f2 100644 --- a/rules/windows/other/wmi/win_wmi_persistence.yml +++ b/rules/windows/other/wmi/win_wmi_persistence.yml @@ -11,7 +11,6 @@ references: tags: - attack.persistence - attack.privilege_escalation - - attack.t1084 # an old one - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index 900ec9f5a..421032085 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -13,7 +13,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index d36011ef3..31a1d756c 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -32,5 +32,4 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 5fa249bee..ee3fb7c22 100644 --- a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -23,7 +23,6 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 1ba70f716..dd72dd04b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -13,7 +13,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 6ab90c2c2..b7d9d3547 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -8,7 +8,6 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index 4c4ddb2dd..215c3d778 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -8,7 +8,6 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index 8605312d6..88fde7aae 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -13,10 +13,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 95a2be973..bd1a09cbb 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -9,7 +9,6 @@ date: 2020/06/29 modified: 2021/10/16 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml index 551b1b68b..183154501 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index 8996bef6c..f5e493c93 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -8,7 +8,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index cebabac1d..5622ab6cb 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -10,7 +10,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index b7a636ef6..fb48751d4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -15,7 +15,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index a13453f9a..8faa41211 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -13,7 +13,6 @@ references: tags: - attack.defense_evasion - attack.t1070.003 - - attack.t1146 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 27ec125ce..2ffff9458 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -15,7 +15,6 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index ba800a5b4..424bff297 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -10,10 +10,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml index 097708941..598a3549e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml index 3281bd461..1ebead1f9 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml index 1859ba45a..3c9fe2e92 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index a5b0d2a85..ab12a9c07 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -7,10 +7,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.persistence - - attack.t1136.001 - - attack.t1136 # an old one + - attack.t1136.001 author: '@ROxPinTeddy' date: 2020/04/11 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml index c556a6603..8c35c9c81 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml @@ -24,4 +24,3 @@ level: low tags: - attack.exfiltration - attack.t1560 - - attack.t1002 # an old one diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml index 411443846..ea3a7d0a7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml @@ -10,7 +10,6 @@ tags: - attack.t1048 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 07fbbbd83..48bb1d48d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -12,7 +12,6 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 55aff9fcd..937652d74 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 modified: 2021/11/29 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index f6e400310..d86e73d9a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 91dda5050..f107fce3f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -9,7 +9,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Alec Costello logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index fa8335566..b6784c866 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -8,10 +8,8 @@ references: tags: - attack.defense_evasion - attack.t1564.004 - - attack.t1096 # an old one - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index a795e8d11..7c532498b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -9,7 +9,6 @@ tags: - attack.credential_access - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index 121446277..edd719577 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index 9cad56ae0..d916707fe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -10,7 +10,6 @@ tags: - attack.t1055 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml index b33c4bea7..b533bf04b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml index 2c106649e..7ee906b99 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml index 929a6581f..287004ebb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml index 7d4d83170..655f9c3f9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml @@ -13,7 +13,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml index 2a6ff8e32..c0a922711 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml @@ -14,7 +14,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index 9054932c4..b52c9b8a4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -24,5 +24,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1547.004 - - attack.t1004 # an old one + - attack.t1547.004 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml index dc92e77d1..bd897115e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml @@ -8,7 +8,6 @@ tags: - attack.execution - attack.t1047 - attack.t1059.001 - - attack.t1086 #an old one author: NVISO date: 2020/03/26 modified: 2021/10/16 diff --git a/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml b/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml index 745d8b86d..c16f73005 100755 --- a/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml +++ b/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml @@ -5,10 +5,8 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.t1218.003 - - attack.t1191 # an old one - attack.execution - attack.t1559.001 - - attack.t1175 # an old one - attack.g0069 - attack.g0080 - car.2019-04-001 diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index 9b873293a..b3cf7a362 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -14,7 +14,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 - car.2019-04-004 logsource: diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index acd4cc71c..c8f9d157f 100644 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -12,7 +12,6 @@ tags: - attack.defense_evasion - attack.t1055.001 - attack.t1055.002 - - attack.t1055 # an old one logsource: category: process_access product: windows diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml index 474814818..faf00f958 100755 --- a/rules/windows/process_access/sysmon_invoke_phantom.yml +++ b/rules/windows/process_access/sysmon_invoke_phantom.yml @@ -11,7 +11,6 @@ references: tags: - attack.defense_evasion - attack.t1562.002 - - attack.t1089 # an old one logsource: category: process_access product: windows diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 4eb8b34b2..6bc1708e1 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -10,7 +10,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index cf5b00e42..98abacd62 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -19,12 +19,9 @@ tags: - attack.credential_access - attack.execution - attack.t1003.001 - - attack.t1003 # an old one - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one - attack.s0002 falsepositives: - low diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index 11bc6e347..50607b328 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -17,7 +17,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access diff --git a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml index 95341c500..02541dfcd 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml @@ -14,7 +14,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml index 3d9c64bd7..120eaa9c6 100755 --- a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml @@ -9,7 +9,6 @@ tags: - attack.execution - attack.t1059 - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml index 41af8a48f..a8a32766e 100644 --- a/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml @@ -9,7 +9,6 @@ tags: - attack.execution - attack.t1059 - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/process_creation_apt_wocao.yml b/rules/windows/process_creation/process_creation_apt_wocao.yml index 46bd50982..8897c3feb 100644 --- a/rules/windows/process_creation/process_creation_apt_wocao.yml +++ b/rules/windows/process_creation/process_creation_apt_wocao.yml @@ -14,13 +14,10 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1036.004 - - attack.t1036 # an old one - attack.t1027 - attack.execution - attack.t1053.005 - - attack.t1053 # an old one - attack.t1059.001 - - attack.t1086 # an old one date: 2019/12/20 modified: 2021/09/19 logsource: diff --git a/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml index 006a75601..e41e4d43e 100644 --- a/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml @@ -13,7 +13,6 @@ modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/process_creation_hack_dumpert.yml b/rules/windows/process_creation/process_creation_hack_dumpert.yml index 4f336d5f3..98602bc2c 100644 --- a/rules/windows/process_creation/process_creation_hack_dumpert.yml +++ b/rules/windows/process_creation/process_creation_hack_dumpert.yml @@ -10,7 +10,6 @@ date: 2020/02/04 modified: 2021/12/08 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml index 6d8556cff..b64fa098d 100644 --- a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml +++ b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml @@ -11,7 +11,6 @@ references: tags: - attack.privilege_escalation - attack.persistence - - attack.t1015 # an old one - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 diff --git a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml index 5fae2a858..ef3327d7d 100644 --- a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml +++ b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml @@ -11,7 +11,6 @@ modified: 2021/09/21 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml index a0f16d53e..8ccb98db3 100644 --- a/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml @@ -14,7 +14,6 @@ modified: 2021/09/12 tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1088 # an old one - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/process_creation/process_creation_tool_psexec.yml b/rules/windows/process_creation/process_creation_tool_psexec.yml index a352369a8..a6e7c236e 100644 --- a/rules/windows/process_creation/process_creation_tool_psexec.yml +++ b/rules/windows/process_creation/process_creation_tool_psexec.yml @@ -13,10 +13,8 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 - fields: - EventID - CommandLine diff --git a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml index 2a3b27316..e4f571891 100644 --- a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml b/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml index 7a27dc2f2..18838b6a6 100644 --- a/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml +++ b/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml @@ -5,7 +5,6 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.execution - - attack.t1191 # an old one - attack.t1218.003 - attack.g0069 - car.2019-04-001 diff --git a/rules/windows/process_creation/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml index 6acf0e58f..6e14818fb 100644 --- a/rules/windows/process_creation/sysmon_hack_wce.yml +++ b/rules/windows/process_creation/sysmon_hack_wce.yml @@ -9,7 +9,6 @@ date: 2019/12/31 modified: 2021/07/15 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.s0005 logsource: diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index b78fef5f9..f56c4d87b 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -27,6 +27,5 @@ falsepositives: - penetration tests, red teaming level: high tags: - - attack.t1037 # an old one - attack.t1037.001 - attack.persistence diff --git a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml index 7da6f41fd..637858fba 100644 --- a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml @@ -10,15 +10,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 86145e21a..b1c55d0e3 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -25,6 +25,4 @@ level: critical tags: - attack.execution - attack.g0016 - - attack.t1086 # an old one - - attack.t1059 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml index 964fdd165..fcc4833e3 100644 --- a/rules/windows/process_creation/win_apt_babyshark.yml +++ b/rules/windows/process_creation/win_apt_babyshark.yml @@ -22,13 +22,9 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059 # an old one - - attack.t1086 # an old one - attack.t1059.003 - attack.t1059.001 - attack.discovery - attack.t1012 - attack.defense_evasion - - attack.t1170 # an old one - - attack.t1218 # an old one - attack.t1218.005 diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index c78bea144..8c97666b9 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -32,7 +32,5 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1081 # an old one - - attack.t1003 # an old one - attack.t1552.001 - attack.t1003.003 diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index 79e714806..d2e7160a0 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -24,5 +24,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1117 # an old one - attack.t1218.010 diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 417f1e5e9..0134a29c8 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -26,5 +26,4 @@ level: critical tags: - attack.execution - attack.g0045 - - attack.t1064 # an old one - attack.t1059.005 diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index 4ee34b3c6..3b6b90888 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -25,5 +25,4 @@ tags: - attack.g0050 - attack.s0081 - attack.execution - - attack.t1059 # an old one - attack.t1059.003 diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml index de8445e1d..9cda75656 100644 --- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 5590dd0df..fd3b97578 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -24,4 +24,3 @@ level: critical tags: - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 239bec27a..371c521ec 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -25,5 +25,4 @@ level: critical tags: - attack.g0020 - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml index 2d859fc06..bf606f567 100644 --- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index 6a1b7e668..bf6de5e1d 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -11,11 +11,9 @@ tags: - attack.g0049 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one - attack.command_and_control - attack.t1105 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index 4ac634838..c7606ca3c 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -31,8 +31,6 @@ tags: - attack.lateral_movement - attack.g0010 - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.exfiltration - - attack.t1002 # an old one - attack.t1560.001 diff --git a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml index ab2c43ff3..5de08498b 100644 --- a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml @@ -29,5 +29,4 @@ level: critical tags: - attack.g0004 - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 53f793c7f..e9f887454 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index e0975073f..cd57ea865 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -12,10 +12,8 @@ references: tags: - attack.g0007 - attack.execution - - attack.t1059 # an old one - attack.t1059.003 - attack.defense_evasion - - attack.t1085 # an old one - car.2013-10-002 - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml index f337f4580..5de827af1 100755 --- a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml @@ -20,6 +20,5 @@ level: high tags: - attack.defense_evasion - attack.g0035 - - attack.t1036 # an old one - attack.t1036.003 - car.2013-05-009 diff --git a/rules/windows/process_creation/win_apt_taidoor.yml b/rules/windows/process_creation/win_apt_taidoor.yml index 3115b3104..7edbbc58c 100644 --- a/rules/windows/process_creation/win_apt_taidoor.yml +++ b/rules/windows/process_creation/win_apt_taidoor.yml @@ -27,5 +27,4 @@ falsepositives: level: critical tags: - attack.execution - - attack.t1055 # an old one - attack.t1055.001 diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 70dcfd75e..3f99ef284 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -9,7 +9,6 @@ references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ tags: - attack.execution - - attack.t1059 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index 308d6f6b3..62e7b5c46 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -27,8 +27,6 @@ level: critical tags: - attack.g0010 - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - - attack.t1053 # an old one - attack.t1053.005 - attack.t1027 diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 9b9924582..269487c32 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -11,7 +11,6 @@ modified: 2021/09/19 tags: - attack.execution - attack.t1218.011 - - attack.t1085 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index 595829255..95b7e5160 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -34,5 +34,4 @@ level: critical tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 3a4d55978..2df79a775 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -28,5 +28,4 @@ level: critical tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index b28bdae32..d47b54577 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -27,9 +27,7 @@ level: critical tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one - attack.s0412 - attack.g0001 diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index f25853f7e..a06d44563 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -30,4 +30,3 @@ level: low tags: - attack.defense_evasion - attack.t1564.001 - - attack.t1158 # an old one diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index f3f2deefb..ed0ee3f1d 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,6 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 9d7154328..6cb0289af 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -38,4 +38,3 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index 39ead0991..aebb33e3d 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -31,4 +31,3 @@ level: low tags: - attack.persistence - attack.t1546.001 - - attack.t1042 # an old one diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index 4d8a91334..6bc458264 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -11,7 +11,6 @@ modified: 2021/07/07 tags: - attack.credential_access - attack.t1003.005 - - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 7a12cc4a4..8fc6974f8 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -7,9 +7,7 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one - attack.t1218.003 - - attack.t1191 # an old one - attack.g0069 - car.2019-04-001 author: Nik Seetharaman, Christian Burkard diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 65790fd31..60b22b197 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -24,4 +24,3 @@ level: high tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 4c7d6f778..f99241c94 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -32,6 +32,5 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218.002 - - attack.t1196 # an old one - attack.persistence - attack.t1546 diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml index 8a73e1118..2d41fb2ef 100644 --- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -38,6 +38,5 @@ tags: - attack.credential_access - attack.t1003.002 - attack.t1003.003 - - attack.t1003 # an old one - car.2013-07-001 - attack.s0404 diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml index c67033c10..8d361c2c1 100644 --- a/rules/windows/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -10,7 +10,6 @@ references: - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter tags: - attack.credential_access - - attack.t1174 # an old one - attack.t1556.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index 1b4bfd5c4..956047838 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -27,4 +27,3 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml index 8f8be3398..335b05c1c 100644 --- a/rules/windows/process_creation/win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -12,7 +12,6 @@ modified: 2021/06/27 tags: - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.t1047 - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index 5f773d70e..f5d8fea51 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -28,7 +28,5 @@ falsepositives: - Highly likely if rar is a default archiver in the monitored environment. level: low tags: - - attack.exfiltration # an old one - - attack.t1002 # an old one - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 6d32387c5..e64b59455 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -19,9 +19,6 @@ level: high tags: - attack.exfiltration - attack.t1048.001 - - attack.t1048 # an old one - attack.command_and_control - attack.t1071.004 - - attack.t1071 # an old one - attack.t1132.001 - - attack.t1132 # an old one diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index cf8eab19a..2fe209a11 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -23,4 +23,3 @@ tags: - attack.t1140 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index ce729589d..29310e995 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -25,4 +25,3 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index e8bdeabe3..6168319ef 100644 --- a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -22,7 +22,6 @@ level: medium tags: - attack.exfiltration - attack.command_and_control - - attack.t1043 # an old one - attack.t1041 - attack.t1572 - attack.t1071.001 diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index 058135789..46c3fd96f 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -22,4 +22,3 @@ level: critical tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 6f646ada8..366161d87 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -22,7 +22,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 97816d3eb..e18716b04 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -24,7 +24,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 9462de4c8..cdcb80633 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -23,7 +23,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index f3bf0b305..25bd0ce55 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -34,6 +34,5 @@ tags: - attack.t1068 - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.t1574 - cve.2019.1378 diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index db2fbb2fd..f3e13062d 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -27,8 +27,6 @@ tags: - attack.t1190 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.t1059.003 - - attack.t1059 # an old one - attack.s0190 - cve.2020.10189 diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml index 1cf672143..99e1ac1cb 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml @@ -30,4 +30,3 @@ tags: - attack.persistence - attack.execution - attack.t1059.001 - - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 15e2bb975..6d031b2cd 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -29,5 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1222.001 - - attack.t1222 # an old one + - attack.t1222.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index ea2d0dcd9..f57aab90e 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -48,5 +48,4 @@ tags: - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - - attack.t1003 # an old one - car.2013-07-001 diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 3288e0325..5348ee4dc 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -38,11 +38,8 @@ tags: - attack.discovery - attack.t1087.001 - attack.t1087.002 - - attack.t1087 # an old one - attack.t1482 - attack.t1069.001 - attack.t1069.002 - - attack.t1069 # an old one - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 00c8a6457..de808b09f 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -29,7 +29,5 @@ level: high tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.t1059.005 - - attack.t1059.007 - - attack.t1064 # an old one + - attack.t1059.007 \ No newline at end of file diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 0d2a8a8ea..2f2be0485 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -33,7 +33,5 @@ tags: - attack.credential_access - attack.t1003 - attack.t1558.003 - - attack.t1558 # an old one - attack.lateral_movement - attack.t1550.003 - - attack.t1097 # an old one diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index 3555ed2db..269387b78 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -11,8 +11,6 @@ modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 - - attack.t1003 # an old one - - attack.t1503 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 21ee36e10..31d4db1ec 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -25,6 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1218.001 - - attack.execution # an old one - - attack.t1223 # an old one + - attack.t1218.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 04c9f49ab..c02a938e3 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -8,7 +8,6 @@ date: 2020/21/04 modified: 2021/06/11 author: Sreeman tags: - - attack.t1064 - attack.t1211 - attack.t1059 - attack.defense_evasion diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index a54f7b140..6f8fea711 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -10,7 +10,6 @@ modified: 2021/09/19 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_html_help_spawn.yml b/rules/windows/process_creation/win_html_help_spawn.yml index 971bfb366..6eb7b0667 100644 --- a/rules/windows/process_creation/win_html_help_spawn.yml +++ b/rules/windows/process_creation/win_html_help_spawn.yml @@ -34,7 +34,6 @@ tags: - attack.t1218.010 - attack.t1218.011 - attack.execution - - attack.t1223 # an old one - attack.t1059.001 - attack.t1059.003 - attack.t1059.005 diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index 9a7d4c55f..5c34f31f4 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -25,9 +25,7 @@ level: high tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one - attack.execution - attack.t1203 - attack.t1059.003 - - attack.t1059 # an old one - attack.g0032 diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index 0d9c18037..455a6010d 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -64,6 +64,4 @@ tags: - attack.execution - attack.t1047 - attack.lateral_movement - - attack.t1175 # an old one - attack.t1021.003 - - attack.t1021 # an old one diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index 2e1c00d3b..c58de2186 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -30,4 +30,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.008 - - attack.t1015 # an old one diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index b3f8beed9..dc70e52e8 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -26,4 +26,3 @@ level: high tags: - attack.privilege_escalation - attack.t1053.002 - - attack.t1053 # an old one diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index 8eaa326ba..13908f26f 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -28,4 +28,3 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index c342fe36a..dcfde00a4 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -21,5 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1218.005 - - attack.execution # an old one - - attack.t1170 # an old one diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index c413f4987..27c50a03e 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -62,4 +62,3 @@ tags: - attack.discovery - attack.t1033 - attack.t1087.001 - - attack.t1087 # an old one diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index 447057246..c06734aac 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -10,7 +10,6 @@ modified: 2021/06/11 tags: - attack.defense_evasion - attack.execution - - attack.t1085 # an old one - attack.t1218.011 logsource: product: windows diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 9860bfa66..92b8e8fc5 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -34,4 +34,3 @@ level: high tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 35a24f5a2..b777f363a 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -12,7 +12,6 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml index e0f748816..a005aad69 100644 --- a/rules/windows/process_creation/win_malware_emotet.yml +++ b/rules/windows/process_creation/win_malware_emotet.yml @@ -8,7 +8,6 @@ modified: 2021/11/29 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.defense_evasion - attack.t1027 references: diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 1401ee4b8..1f6d68412 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -33,11 +33,7 @@ level: critical tags: - attack.defense_evasion - attack.t1218.011 - - attack.execution # an old one - - attack.t1085 # an old one - attack.t1070.001 - - attack.t1070 # an old one - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - car.2016-04-002 diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml index 5e6554068..812ee0c66 100644 --- a/rules/windows/process_creation/win_malware_qbot.yml +++ b/rules/windows/process_creation/win_malware_qbot.yml @@ -8,8 +8,6 @@ modified: 2021/01/25 tags: - attack.execution - attack.t1059.005 - - attack.defense_evasion # an old one - - attack.t1064 # an old one references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ diff --git a/rules/windows/process_creation/win_malware_ryuk.yml b/rules/windows/process_creation/win_malware_ryuk.yml index d5a013d24..0505a7518 100644 --- a/rules/windows/process_creation/win_malware_ryuk.yml +++ b/rules/windows/process_creation/win_malware_ryuk.yml @@ -25,4 +25,3 @@ level: critical tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 991f5f3a1..7457d8f48 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -37,5 +37,3 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.defense_evasion # an old one - - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 5498fac78..b9bc99598 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -58,7 +58,6 @@ tags: - attack.t1083 - attack.defense_evasion - attack.t1222.001 - - attack.t1222 # an old one - attack.impact - attack.t1486 - attack.t1490 diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index a1ceeef7a..465d9c9de 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -20,6 +20,5 @@ falsepositives: - unknown level: critical tags: - - attack.t1055 # an old one - attack.t1055.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index f7fe4b4bf..59be92668 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -10,7 +10,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index c876678d4..4ba3573a8 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -10,7 +10,6 @@ date: 2019/10/22 modified: 2021/12/20 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/process_creation/win_mmc20_lateral_movement.yml b/rules/windows/process_creation/win_mmc20_lateral_movement.yml index 4a2128d2f..87f5f84ab 100644 --- a/rules/windows/process_creation/win_mmc20_lateral_movement.yml +++ b/rules/windows/process_creation/win_mmc20_lateral_movement.yml @@ -22,5 +22,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1175 # an old one - attack.t1021.003 diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index a5718cb6b..1d5e81243 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -33,5 +33,4 @@ fields: level: high tags: - attack.lateral_movement - - attack.t1175 # an old one - attack.t1021.003 diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 7b146ad29..f818a52a8 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -6,9 +6,7 @@ references: status: experimental tags: - attack.persistence - - attack.t1031 # an old one - attack.t1543.003 - - attack.t1058 # an old one - attack.t1574.011 author: Sreeman date: 2020/09/29 diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 2c178ca7e..6a83af5e9 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1170 # an old one - attack.t1218.005 diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 2bdbff9c6..3d47a06ee 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -35,7 +35,6 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1170 # an old one - attack.t1218.005 - car.2013-02-003 - car.2013-03-001 diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index fe8e125f4..b20d4c064 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -30,5 +30,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index 1bef8de86..c875ca215 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -29,5 +29,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index 82a419946..4dc66d7ef 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -24,5 +24,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml index d8abf36bc..f20dced4e 100644 --- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml @@ -57,5 +57,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index 93134c22e..7182f6f9c 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -25,5 +25,4 @@ level: low tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 68cb6815d..c772b686b 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index e06da5ede..c71a80191 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -52,5 +52,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index fbb81445b..c920f4450 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -7,7 +7,6 @@ references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 - attack.g0046 - car.2013-05-002 diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index b49d01714..541f37f4c 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -93,5 +93,4 @@ level: high tags: - attack.s0013 - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 604cf1171..8f0583ae3 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -31,12 +31,8 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1118 # an old one - attack.t1218.004 - - attack.t1121 # an old one - attack.t1218.009 - - attack.t1127 # an old one - attack.t1127.001 - - attack.t1170 # an old one - attack.t1218.005 - attack.t1218 # no way to map 1:1, so the technique level is required diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml index 8c0411ff2..d8a7dae29 100755 --- a/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml +++ b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml @@ -6,7 +6,6 @@ references: - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ tags: - attack.privilege_escalation - - attack.t1058 # an old one - attack.t1574.011 status: experimental author: Teymur Kheirkhabarov diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 09998eae9..2c58a5c20 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -24,5 +24,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index f9cdc7643..3daa30895 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -11,7 +11,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 4fc137225..befce328c 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml index 70e0f1d72..856abdef9 100644 --- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml @@ -31,5 +31,4 @@ level: medium tags: - attack.defense_evasion - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 37b1e3235..f68352373 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -26,6 +26,5 @@ falsepositives: - unknown level: medium tags: - - attack.t1086 # an old one - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml index 06cee06aa..58199e0fa 100644 --- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -10,7 +10,6 @@ date: 2021/03/03 modified: 2021/06/27 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index cdbf19a7c..2727ed012 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -61,5 +61,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index c09ec56b0..7b42b8dd9 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1086 # an old one - attack.t1059.001 - attack.t1140 - attack.t1027 diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index 32304fcde..4b13c0cca 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -38,8 +38,6 @@ tags: - attack.execution - attack.persistence - attack.privilege_escalation - - attack.t1053 # an old one - - attack.t1086 # an old one - attack.s0111 - attack.g0022 - attack.g0060 diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index cc7e331b6..d4040c6ab 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -12,7 +12,6 @@ date: 2019/02/23 modified: 2021/11/24 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 - attack.t1036.005 logsource: diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index c261b918a..9bacedfbd 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -13,7 +13,6 @@ tags: - attack.defense_evasion - attack.t1036 - attack.credential_access - - attack.t1003 # an old one - car.2013-05-009 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index c854fac36..78252d478 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -17,6 +17,5 @@ falsepositives: level: low tags: - attack.execution - - attack.t1035 # an old one - attack.s0029 - attack.t1569.002 diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml index 27e8145f1..f4e243d03 100644 --- a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -26,7 +26,6 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1059 # an old one - attack.t1106 - attack.t1059.003 - attack.t1218.011 diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 64886809f..918ecf848 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - attack.t1021.006 logsource: diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 0f827f6d0..67777f2f1 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -65,5 +65,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index 9bdd3dfa4..7985b931c 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -49,5 +49,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml index 6c207f7ba..46e925dcd 100644 --- a/rules/windows/process_creation/win_renamed_jusched.yml +++ b/rules/windows/process_creation/win_renamed_jusched.yml @@ -25,5 +25,4 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index 8213ed3fe..02c8e11b8 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 - attack.g0046 - car.2013-05-009 diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml index 59633afe4..3f6dfa2b4 100644 --- a/rules/windows/process_creation/win_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -10,7 +10,6 @@ modified: 2021/07/03 tags: - car.2013-05-009 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index 88783c5d7..843aa8c3e 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -9,7 +9,6 @@ date: 2019/11/18 modified: 2021/08/16 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml index 9301e549c..5ab16c728 100644 --- a/rules/windows/process_creation/win_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -26,5 +26,4 @@ level: high tags: - car.2013-05-009 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml index 236e6441a..1e3a8da04 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1096 # an old one - attack.t1564.004 diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index c688f5fa9..e1113ee4b 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -8,7 +8,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.011 - - attack.t1138 # an old one author: Markus Neis date: 2019/01/16 modified: 2021/08/14 diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 5fc3a2a35..9b350bdda 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -22,5 +22,4 @@ falsepositives: level: low tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml index bfff03645..b2b8b1b67 100644 --- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml @@ -21,6 +21,5 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/process_creation/win_shell_spawn_mshta.yml b/rules/windows/process_creation/win_shell_spawn_mshta.yml index d77e607c1..9bc718927 100644 --- a/rules/windows/process_creation/win_shell_spawn_mshta.yml +++ b/rules/windows/process_creation/win_shell_spawn_mshta.yml @@ -10,7 +10,6 @@ date: 2021/06/28 tags: - attack.execution - attack.defense_evasion - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index b215a6ab5..bd5146fed 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -39,7 +39,6 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index e88cda05d..1f818c290 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -26,4 +26,3 @@ level: medium tags: - attack.credential_access - attack.t1558.003 - - attack.t1208 # an old one diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index fc9cb34de..212852fa1 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -9,7 +9,6 @@ date: 2020/02/18 modified: 2022/01/11 author: Sreeman tags: - - attack.t1015 # an old one - attack.t1546.008 - attack.privilege_escalation logsource: diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index b6c580934..1e2238e94 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -13,7 +13,6 @@ tags: - attack.t1070 - attack.persistence - attack.t1542.003 - - attack.t1067 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml index 79e852bb6..b8405479e 100644 --- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -33,5 +33,4 @@ falsepositives: level: high tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.002 diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index ceb84518a..6aefefbfe 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -32,6 +32,3 @@ level: high tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1020 # an old one - - attack.t1002 # an old one diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index c25161a86..f5d59fe57 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -33,4 +33,3 @@ tags: - attack.t1218.011 - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index a435db36c..d39c81233 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 37a2d98d3..d133ba198 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -42,6 +42,5 @@ tags: - attack.collection - attack.exfiltration - attack.t1039 - - attack.t1105 # an old one - attack.t1048 - attack.t1021.002 diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index a7900d6a3..e1c9bd854 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -32,5 +32,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1059.001 - - attack.t1564.003 - - attack.t1086 # an old one + - attack.t1564.003 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index 9a5f1afb3..8b2ae8d21 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -11,7 +11,6 @@ tags: - attack.t1059.003 - attack.t1059.001 - attack.s0106 - - attack.t1086 # an old one author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 587425522..aa1c2aef0 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -36,5 +36,3 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1027.005 - - attack.t1027 # an old one - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 68b300326..eb15b5628 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -26,6 +26,5 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.defense_evasion - - attack.t1500 # an old one - attack.t1218.005 - attack.t1027.004 diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 96ff5178b..3fbae6f32 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -12,7 +12,6 @@ date: 2019/08/24 modified: 2021/02/01 tags: - attack.defense_evasion - - attack.t1500 # an old one - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml index e758f6315..30deb267c 100644 --- a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml @@ -30,4 +30,3 @@ level: high tags: - attack.defense_evasion - attack.t1055.001 - - attack.t1055 # an old one diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml index f8d0c8f9f..9b2ab10a9 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1218 - - attack.execution # an old one + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 1333585a3..ba1ad00df 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -37,4 +37,3 @@ level: medium tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_susp_disable_ie_features.yml b/rules/windows/process_creation/win_susp_disable_ie_features.yml index 96cb4a40a..a7a95326e 100644 --- a/rules/windows/process_creation/win_susp_disable_ie_features.yml +++ b/rules/windows/process_creation/win_susp_disable_ie_features.yml @@ -30,4 +30,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/windows/process_creation/win_susp_ditsnap.yml b/rules/windows/process_creation/win_susp_ditsnap.yml index d5ed9858c..899c82581 100644 --- a/rules/windows/process_creation/win_susp_ditsnap.yml +++ b/rules/windows/process_creation/win_susp_ditsnap.yml @@ -25,4 +25,3 @@ level: high tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 24ae43496..447355b3a 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1027.004 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index d14cf33a6..ea3f5a4e1 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -32,4 +32,3 @@ level: critical tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 1fe56e4ed..31a2e2bef 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index b2d6bc67a..a0ddf9485 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -37,5 +37,4 @@ level: high tags: - attack.defense_evasion - attack.t1070.001 - - attack.t1070 # an old one - car.2016-04-002 diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index 9e1ad907d..8f63d9810 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -32,4 +32,3 @@ level: medium tags: - attack.persistence - attack.t1505.003 - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml index 7bfd6a159..b140f479a 100644 --- a/rules/windows/process_creation/win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -11,8 +11,6 @@ modified: 2021/06/27 tags: - attack.execution - attack.t1059.006 - - attack.defense_evasion # an old one - - attack.t1064 # an old one logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 5751fdad8..4d09b1602 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -26,4 +26,3 @@ level: high tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 941506213..afb95cec6 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.persistence - attack.t1505.003 - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml index 9d22cc0af..e2ede2aeb 100644 --- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml @@ -25,4 +25,3 @@ level: high tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index dee88ff69..8327351a0 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -20,4 +20,3 @@ level: medium tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index 1bb004701..5dd9e0c24 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -27,5 +27,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218.008 - - attack.execution # an old one - - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml index bff1cf575..92bcf7e23 100644 --- a/rules/windows/process_creation/win_susp_openwith.yml +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -22,4 +22,3 @@ level: high tags: - attack.defense_evasion - attack.t1218 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index 2059eb01a..6124d0ec2 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -8,7 +8,6 @@ modified: 2021/06/27 tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 #an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml index 38ebf22eb..88c8c7bc2 100644 --- a/rules/windows/process_creation/win_susp_pcwutl.yml +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -24,5 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218.011 - - attack.execution # an old one - - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 9d4a166a7..f8ed94c4f 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -29,4 +29,3 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index 194fb3f6d..eab62357c 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -27,5 +27,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one - car.2019-04-001 diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 760907af5..c54e1962a 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -10,7 +10,6 @@ modified: 2021/03/02 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml index 8a47cb294..f097432ae 100644 --- a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml +++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml @@ -20,6 +20,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 7d449f116..ffdd8aded 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -71,4 +71,3 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 3a70cb1e3..f11b4433a 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -29,4 +29,3 @@ level: medium tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index 9d379112e..ec85223dd 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -57,4 +57,3 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml index 299ed2930..8efcfe570 100644 --- a/rules/windows/process_creation/win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml @@ -11,8 +11,7 @@ tags: - attack.defense_evasion - attack.t1036 - attack.credential_access - - attack.t1003.001 - - attack.t1003 # an old one + - attack.t1003.001 - car.2013-05-009 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index 18bbbbebb..1a19bc555 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,7 +8,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/09 modified: 2021/11/28 diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml index b6b71035f..d6ab62278 100644 --- a/rules/windows/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml @@ -23,7 +23,6 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.command_and_control - attack.t1104 - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml index b4a58ce1d..7055b8ae2 100644 --- a/rules/windows/process_creation/win_susp_rar_flags.yml +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -12,8 +12,6 @@ modified: 2021/07/27 tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 86a20dd25..bf1f81614 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059 - - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml index 8712392b9..ec29da6a7 100644 --- a/rules/windows/process_creation/win_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -12,7 +12,6 @@ tags: - attack.discovery - attack.t1087.001 - attack.t1087.002 - - attack.t1087 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 0e98a9e1f..41133d360 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -11,8 +11,6 @@ references: tags: - attack.defense_evasion - attack.t1218.010 - - attack.execution # an old one - - attack.t1117 # an old one - car.2019-04-002 - car.2019-04-003 logsource: diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml index fea242d3d..03d3ccf4f 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -26,4 +26,3 @@ level: high tags: - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 5c9525cad..76bdf7c29 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -74,6 +74,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.execution # an old one - attack.t1218.011 - - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 367971c00..799053628 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -8,9 +8,7 @@ references: - https://twitter.com/cyb3rops/status/1186631731543236608 tags: - attack.defense_evasion - - attack.execution # an old one - attack.t1218.011 - - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 modified: 2021/12/08 diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index bc671f4cf..ecb3d7a8e 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -25,7 +25,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1053.005 - - attack.t1053 # an old one - attack.s0111 - car.2013-08-001 falsepositives: diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 4b52d2493..9b011d35f 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -29,4 +29,4 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one + diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index 116b6c54a..733b00059 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -31,4 +31,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 - - attack.t1031 # an old one diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 11c66ddbc..8217e0459 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -6,7 +6,6 @@ author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2021/06/27 tags: - - attack.t1100 # an old one - attack.t1505.003 - attack.t1190 - attack.initial_access diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index af0cdb025..33755d48f 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -5,7 +5,6 @@ description: Detects a suspicious svchost process start tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one author: Florian Roth date: 2017/08/15 modified: 2021/12/03 diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 4c62a63c3..c48a543f1 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -23,4 +23,3 @@ level: medium tags: - attack.credential_access - attack.t1552.006 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index c7e82c10a..0a90bd343 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -21,6 +21,5 @@ level: high tags: - attack.lateral_movement - attack.t1563.002 - - attack.t1076 # an old one - attack.t1021.001 - car.2013-07-002 diff --git a/rules/windows/process_creation/win_susp_winrar_dmp.yml b/rules/windows/process_creation/win_susp_winrar_dmp.yml index 450a62401..26acf49b3 100644 --- a/rules/windows/process_creation/win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/win_susp_winrar_dmp.yml @@ -6,11 +6,6 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth date: 2022/01/04 -tags: - - attack.collection - - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows @@ -25,4 +20,7 @@ detection: condition: selection and dumpfile falsepositives: - Legitimate use of WinRAR with a command line in which .dmp appears incidentally -level: high \ No newline at end of file +level: high +tags: + - attack.collection + - attack.t1560.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_winrar_execution.yml b/rules/windows/process_creation/win_susp_winrar_execution.yml index f7f0bbb6f..3f65047b3 100644 --- a/rules/windows/process_creation/win_susp_winrar_execution.yml +++ b/rules/windows/process_creation/win_susp_winrar_execution.yml @@ -10,8 +10,6 @@ modified: 2021/11/22 tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index e45421438..79b05e66a 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -13,8 +13,6 @@ tags: - attack.persistence - attack.execution - attack.t1574.002 - - attack.t1059 # an old one - - attack.t1064 # an old one logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index 8e731a03d..fcf0bf8be 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -30,5 +30,3 @@ tags: - attack.defense_evasion - attack.t1548.002 - attack.t1218.003 - - attack.t1191 # an old one - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index 2e11331ae..22dcb8137 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -25,4 +25,3 @@ level: high tags: - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index 948c66174..877ffb1b4 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -22,4 +22,3 @@ level: high tags: - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 5b06496a8..fea0fc749 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -14,8 +14,6 @@ tags: - attack.t1018 - attack.t1033 - attack.t1087 - - attack.privilege_escalation # an old one - - attack.t1100 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml index 1686926ee..6ae3785b5 100644 --- a/rules/windows/process_creation/win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/win_webshell_recon_detection.yml @@ -39,5 +39,3 @@ level: high tags: - attack.persistence - attack.t1505.003 - - attack.privilege_escalation # an old one - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 762ee4c21..e1d133705 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -34,5 +34,4 @@ level: high tags: - attack.persistence - attack.t1505.003 - - attack.privilege_escalation # an old one - attack.t1190 diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 8bdca5328..5627d30b2 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -25,5 +25,4 @@ level: high tags: - attack.privilege_escalation - attack.t1053.005 - - attack.t1053 # an old one - car.2013-08-001 diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index d7a084782..672859839 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -21,4 +21,3 @@ level: critical tags: - attack.persistence - attack.t1546.003 - - attack.t1084 # an old one diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml index 2f6e315fe..d0ce675cc 100644 --- a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -22,4 +22,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.003 - - attack.t1047 # an old one diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index 90a71de04..90b422eab 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -8,12 +8,6 @@ references: author: Markus Neis / @Karneades date: 2019/04/03 modified: 2021/02/24 -tags: - - attack.execution - - attack.t1047 - - attack.t1059.001 - - attack.defense_evasion # an old one - - attack.t1064 # an old one logsource: category: process_creation product: windows @@ -32,3 +26,7 @@ falsepositives: - AppvClient - CCM level: high +tags: + - attack.execution + - attack.t1047 + - attack.t1059.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml index 52d386477..612ecd044 100644 --- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml @@ -26,4 +26,3 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index de22303eb..b861ce72e 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -35,4 +35,3 @@ level: medium tags: - attack.defense_evasion - attack.t1220 - - attack.execution # an old one diff --git a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml index 7378e096c..36a523e37 100644 --- a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml @@ -7,19 +7,6 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -tags: - - attack.persistence - - attack.g0049 - - attack.t1053 # an old one - - attack.t1053.005 - - attack.s0111 - - attack.t1050 # an old one - - attack.t1543.003 - - attack.defense_evasion - - attack.t1112 - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community @@ -34,4 +21,14 @@ detection: condition: selection_reg1 falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical +tags: + - attack.persistence + - attack.g0049 + - attack.t1053.005 + - attack.s0111 + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071.004 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index 5c95188e2..cc6bcbd94 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -14,7 +14,6 @@ references: status: experimental tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry_event/registry_event_defender_exclusions.yml b/rules/windows/registry_event/registry_event_defender_exclusions.yml index 1840ff84f..863ce5553 100644 --- a/rules/windows/registry_event/registry_event_defender_exclusions.yml +++ b/rules/windows/registry_event/registry_event_defender_exclusions.yml @@ -12,7 +12,6 @@ references: status: test tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml index fc25febc7..938a1f7c1 100755 --- a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -10,7 +10,6 @@ modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/registry_event/registry_event_mal_adwind.yml b/rules/windows/registry_event/registry_event_mal_adwind.yml index 1cc8bfc66..7c4060d17 100644 --- a/rules/windows/registry_event/registry_event_mal_adwind.yml +++ b/rules/windows/registry_event/registry_event_mal_adwind.yml @@ -11,11 +11,6 @@ references: author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 modified: 2022/01/13 -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 - - attack.t1064 # an old one logsource: category: registry_event product: windows @@ -26,3 +21,7 @@ detection: Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection level: high +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml index 8f5c2b1bf..597e33ad0 100644 --- a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml @@ -9,7 +9,6 @@ date: 2018/03/20 modified: 2021/09/21 tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 logsource: diff --git a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml index 595145857..7a542b20e 100755 --- a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml @@ -5,13 +5,6 @@ description: Detects the usage and installation of a backdoor that uses an optio status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1015 # an old one - - attack.t1546.008 - - car.2014-11-003 - - car.2014-11-008 author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 modified: 2021/09/12 @@ -30,4 +23,10 @@ detection: condition: selection_registry falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1546.008 + - car.2014-11-003 + - car.2014-11-008 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml index 01603e588..bb1ad8524 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -8,12 +8,6 @@ references: author: Florian Roth date: 2017/03/19 modified: 2021/09/12 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 # an old one - - attack.t1548.002 - - car.2019-04-001 logsource: product: windows category: registry_event @@ -25,3 +19,8 @@ detection: falsepositives: - unknown level: critical +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_apt_leviathan.yml b/rules/windows/registry_event/sysmon_apt_leviathan.yml index c32419187..26311a8cc 100644 --- a/rules/windows/registry_event/sysmon_apt_leviathan.yml +++ b/rules/windows/registry_event/sysmon_apt_leviathan.yml @@ -4,10 +4,6 @@ status: experimental description: Detects registry key used by Leviathan APT in Malaysian focused campaign references: - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 author: Aidan Bracher date: 2020/07/07 modified: 2021/09/13 @@ -19,3 +15,6 @@ detection: TargetObject: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd' condition: selection level: critical +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 65923ce35..0eba0db70 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -6,10 +6,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys -tags: - - attack.persistence - - attack.t1547.001 - - attack.t1060 # an old one date: 2019/10/25 modified: 2021/12/05 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton @@ -215,3 +211,6 @@ fields: falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml b/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml index 10c7f0b17..782a2365c 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml @@ -2,13 +2,6 @@ title: CMSTP Execution Registry Event id: b6d235fc-1d38-4b12-adbe-325f06728f37 status: stable description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -tags: - - attack.defense_evasion - - attack.execution - - attack.t1191 # an old one - - attack.t1218.003 - - attack.g0069 - - car.2019-04-001 author: Nik Seetharaman date: 2018/07/16 modified: 2020/12/23 @@ -28,3 +21,9 @@ detection: selection: TargetObject|contains: '\cmmgr32.exe' condition: selection +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.003 + - attack.g0069 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml index da3724582..99fb16bc1 100755 --- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml @@ -23,6 +23,5 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index fd49c8429..8adfe4acc 100755 --- a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -28,6 +28,5 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 8d127a5ee..884564b3e 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -19,6 +19,5 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.s0005 diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index e8302dd00..51cdc34d6 100644 --- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -19,7 +19,6 @@ falsepositives: - penetration tests, red teaming level: high tags: - - attack.t1037 # an old one - attack.t1037.001 - attack.persistence - attack.lateral_movement diff --git a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml index 2e07a2d8c..fb729a92c 100755 --- a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml @@ -22,5 +22,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 1c4d405b0..2e4d32e44 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -28,5 +28,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1182 # an old one - attack.t1546.009 diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index e54f396b2..df6b7b4d8 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -5,10 +5,6 @@ description: DLLs that are specified in the AppInit_DLLs value in the Registry k into every process that loads user32.dll references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html -tags: - - attack.persistence - - attack.t1103 # an old one - - attack.t1546.010 author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019/10/25 modified: 2021/11/11 @@ -35,3 +31,6 @@ fields: falsepositives: - Unknown level: medium +tags: + - attack.persistence + - attack.t1546.010 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2e2d8bef6..0a5a3fb67 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -7,10 +7,6 @@ references: author: Kutepov Anton, oscd.community date: 2019/10/23 modified: 2021/09/17 -tags: - - attack.persistence - - attack.t1122 # an old one - - attack.t1546.015 logsource: category: registry_event product: windows @@ -25,3 +21,6 @@ detection: falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium +tags: + - attack.persistence + - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml index 15b607a3e..1ab4d22be 100755 --- a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml +++ b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml @@ -20,5 +20,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1193 # an old one - attack.t1566.001 diff --git a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml index 4a2d3bb86..03ff9e243 100755 --- a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml +++ b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.persistence - - attack.t1101 # an old one - attack.t1547.005 diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index b790158bc..42eeaf985 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml index 0ba4aebe0..83fa79d02 100644 --- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml @@ -23,5 +23,4 @@ level: high tags: - attack.execution - attack.persistence - - attack.t1177 # an old one - attack.t1547.008 diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 11e4cb99d..31e621931 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -33,6 +33,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 - # - capec.270 diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 6e6f8b0c8..e4e99540b 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -5,10 +5,6 @@ description: Detects suspicious new RUN key element pointing to an executable in references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth, Markus Neis, Sander Wiebing -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 date: 2018/08/25 modified: 2022/01/13 logsource: @@ -39,3 +35,6 @@ fields: falsepositives: - Software using weird folders for updates level: high +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 9ede1214d..47489812b 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -30,6 +30,5 @@ falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. level: medium tags: - - attack.t1089 # an old one - attack.t1562.001 - attack.defense_evasion diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 378e7f623..cbb40e35c 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -19,12 +19,11 @@ detection: TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 # an old one - - attack.t1548.002 - - car.2019-04-001 falsepositives: - unknown level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 2d7601fa0..2014a9f78 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -32,6 +32,5 @@ tags: - attack.privilege_escalation - attack.persistence - attack.defense_evasion - - attack.t1183 # an old one - attack.t1546.012 - car.2013-01-002 diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index d6d596476..c47194cf2 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -19,6 +19,5 @@ falsepositives: - exclude legitimate (vetted) use of WMI event subscription in your network level: high tags: - - attack.t1084 # an old one - attack.persistence - attack.t1546.003 diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index e4b7fbf1d..cd3dcfc43 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -9,10 +9,6 @@ references: - https://github.com/RiccardoAncarani/LiquidSnake date: 2019/04/15 modified: 2021/09/01 -tags: - - attack.t1086 # an old one - - attack.execution - - attack.t1059.005 logsource: product: windows category: wmi_event @@ -43,3 +39,6 @@ fields: falsepositives: - Administrative scripts level: high +tags: + - attack.execution + - attack.t1059.005 \ No newline at end of file