Merge branch 'master' of github.com:oscd-initiative/sigma

2020-08-29 04:39:45 +00:00
parent da766a245f cd12ab8a77
commit 4ed3db8d23
82 changed files with 262 additions and 123 deletions
@@ -7,7 +7,7 @@ references:
 date: 2019/05/12
 tags:
    - attack.s0003
-    - attack.t1156
+    - attack.t1156    # an old one
    - attack.persistence
    - attack.t1546.004
 author: Peter Matkovski
@@ -10,7 +10,7 @@ references:
    - self experience
 tags:
    - attack.defense_evasion
-    - attack.t1054
+    - attack.t1054    # an old one
    - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental
@@ -1,12 +1,13 @@
 title: Creation Of An User Account
 id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
 status: experimental
-description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" 
+description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system"
 references:
    - 'MITRE Attack technique T1136; Create Account '
 date: 2020/05/18
 tags:
-    - attack.t1136
+    - attack.t1136    # an old one
+    - attack.t1136.001
    - attack.persistence
 author: Marie Euler
 logsource:
@@ -9,7 +9,7 @@ references:
    - self experience
 tags:
    - attack.defense_evasion
-    - attack.t1054
+    - attack.t1054    # an old one
    - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental
@@ -4,6 +4,9 @@ status: experimental
 description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2018/02/20
 logsource:
@@ -18,4 +21,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-
@@ -4,6 +4,9 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal
 references:
    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2017/06/30
 modified: 2020/05/15
@@ -27,4 +30,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-
@@ -3,6 +3,9 @@ id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/dagwieers/vsftpd/
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2017/07/05
 logsource:
@@ -8,6 +8,14 @@ references:
    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
 author: Patrick Bareiss
 date: 2019/04/07
+modified: 2020/08/27
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003
 logsource:
    category: dns
 detection:
@@ -17,6 +25,3 @@ detection:
 falsepositives:
    - Valid software, which uses dns for transferring data
 level: high
-tags:
-    - attack.t1048
-    - attack.exfiltration
@@ -5,9 +5,11 @@ description: High DNS queries bytes amount from host per short period of time
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
    - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
 falsepositives:
    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
 level: medium
@@ -5,9 +5,14 @@ description: High DNS requests amount from host per short period of time
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
    - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 falsepositives:
    - Legitimate high DNS requests rate to domain name which should be added to whitelist
 level: medium
@@ -4,9 +4,14 @@ description: Extremely high rate of NULL record type DNS requests from host per
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
    - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
    category: dns
 detection:
@@ -4,9 +4,14 @@ description: Extremely high rate of TXT record type DNS requests from host per s
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
    - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
    category: dns
 detection:
@@ -6,6 +6,11 @@ references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
 author: Florian Roth
 date: 2018/05/10
+modified: 2020/08/27
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
    category: dns
 detection:
@@ -6,6 +6,14 @@ references:
    - https://github.com/krmaxwell/dns-exfiltration
 author: Florian Roth
 date: 2018/05/10
+modified: 2020/08/27
+tags:
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
    category: dns
 detection:
@@ -6,10 +6,12 @@ references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
 tags:
-    - attack.t1071
+    - attack.command_and_control
+    - attack.t1071 # an old one
    - attack.t1071.004
 author: Markus Neis
 date: 2018/08/08
+modified: 2020/08/27
 logsource:
    category: dns
 detection:
@@ -3,6 +3,10 @@ id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
 date: 2017/02/19
+modified: 2020/08/27
+tags:
+    - attack.discovery
+    - attack.t1046
 logsource:
    category: firewall
 detection:
@@ -9,6 +9,11 @@ references:
    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
 author: Florian Roth
 date: 2018/06/05
+modified: 2020/08/27
+tags:
+    - attack.command_and_control
+    - attack.t1102 # an old one
+    - attack.t1102.002
 logsource:
    category: dns
 detection:
@@ -9,7 +9,7 @@ references:
    - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
 tags:
    - attack.command_and_control
-    - attack.t1071
+    - attack.t1071 # an old one
    - attack.t1071.004
 logsource:
    category: process_creation
@@ -5,10 +5,11 @@ author: Florian Roth
 references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
 date: 2019/12/31
-modified: 2020/07/01
+modified: 2020/08/26
 tags:
    - attack.credential_access
-    - attack.t1003
+    - attack.t1003 # an old one
+    - attack.t1003.001
    - attack.s0005
 logsource:
    category: process_creation
@@ -5,13 +5,12 @@ description: Detects creation or execution of UserInitMprLogonScript persistence
 references:
    - https://attack.mitre.org/techniques/T1037/
 tags:
-    - attack.t1037
+    - attack.t1037 # an old one
    - attack.t1037.001
    - attack.persistence
-    - attack.lateral_movement
 author: Tom Ueltschi (@c_APT_ure)
 date: 2019/01/12
-modified: 2020/07/01
+modified: 2020/08/26
 logsource:
    category: process_creation
    product: windows
@@ -6,10 +6,12 @@ references:
 tags:
    - attack.execution
    - attack.g0016
-    - attack.t1086
+    - attack.t1086 # an old one
+    - attack.t1059 # an old one
    - attack.t1059.001
 author: Florian Roth
 date: 2018/12/04
+modified: 2020/08/26
 logsource:
    category: process_creation
    product: windows
@@ -6,20 +6,22 @@ references:
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
 tags:
    - attack.execution
-    - attack.t1059
-    - attack.t1086
+    - attack.t1059 # an old one
+    - attack.t1086 # an old one
+    - attack.t1059.003
+    - attack.t1059.001
    - attack.discovery
    - attack.t1012
    - attack.defense_evasion
-    - attack.t1170
-    - attack.t1218
-    - attack.t1059.003
-    - attack.t1059.001
+    - attack.t1170 # an old one
+    - attack.t1218 # an old one
+    - attack.t1218.005
 logsource:
    category: process_creation
    product: windows
 author: Florian Roth
 date: 2019/02/24
+modified: 2020/08/26
 detection:
    selection:
        CommandLine:
@@ -5,11 +5,13 @@ references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 author: Florian Roth
 date: 2019/02/21
+modified: 2020/08/26
 tags:
    - attack.credential_access
-    - attack.t1081
-    - attack.t1003
+    - attack.t1081 # an old one
+    - attack.t1003 # an old one
    - attack.t1552.001
+    - attack.t1003.003
 logsource:
    category: process_creation
    product: windows
@@ -6,7 +6,7 @@ references:
    - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
 tags:
    - attack.defense_evasion
-    - attack.t1117
+    - attack.t1117 # an old one
    - attack.t1218.010
 author: Florian Roth
 date: 2019/10/02
@@ -7,12 +7,18 @@ references:
 tags:
    - attack.persistence
    - attack.g0049
-    - attack.t1053
+    - attack.t1053 # an old one
+    - attack.t1053.005
    - attack.s0111
+    - attack.t1050 # an old one
+    - attack.t1543.003
    - attack.defense_evasion
    - attack.t1112
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 date: 2018/03/23
-modified: 2019/03/01
+modified: 2020/08/26
 author: Florian Roth, Markus Neis
 detection:
    condition: 1 of them
@@ -8,7 +8,7 @@ references:
 tags:
    - attack.execution
    - attack.g0045
-    - attack.t1064
+    - attack.t1064 # an old one
    - attack.t1059.005
 logsource:
    category: process_creation
@@ -8,8 +8,12 @@ tags:
    - attack.g0030
    - attack.g0050
    - attack.s0081
+    - attack.execution
+    - attack.t1059 # an old one
+    - attack.t1059.003
 author: Florian Roth
 date: 2018/01/31
+modified: 2020/08/26
 logsource:
    category: process_creation
    product: windows
@@ -5,8 +5,13 @@ description: Detects the execution of DLL side-loading malware used by threat gr
 references:
    - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
    - https://twitter.com/cyb3rops/status/1168863899531132929
+tags:
+    - attack.defense_evasion
+    - attack.t1073 # an old one
+    - attack.t1574.002
 author: Florian Roth
 date: 2018/09/03
+modified: 2020/08/27
 logsource:
    category: process_creation
    product: windows
@@ -5,10 +5,11 @@ description: Detects EmpireMonkey APT reported Activity
 references:
    - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
 tags:
-    - attack.t1086
-    - attack.t1059.001
-    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218.010
+    - attack.t1117  # an old one
 date: 2019/04/02
+modified: 2020/08/27
 author: Markus Neis
 detection:
    condition: 1 of them
@@ -2,17 +2,16 @@ title: Equation Group DLL_U Load
 id: d465d1d8-27a2-4cca-9621-a800f37cf72e
 author: Florian Roth
 date: 2019/03/04
+modified: 2020/08/27
 description: Detects a specific tool and export used by EquationGroup
 references:
    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
    - https://securelist.com/apt-slingshot/84312/
    - https://twitter.com/cyb3rops/status/972186477512839170
 tags:
-    - attack.execution
    - attack.g0020
-    - attack.t1059
    - attack.defense_evasion
-    - attack.t1085
+    - attack.t1085 # an old one
    - attack.t1218.011
 logsource:
    category: process_creation
@@ -7,6 +7,11 @@ references:
    - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
 author: Florian Roth
 date: 2020/07/10
+modified: 2020/08/27
+tags:
+    - attack.defense_evasion
+    - attack.t1085 # an old one
+    - attack.t1218.011
 logsource:
    category: process_creation
    product: windows
@@ -6,9 +6,17 @@ references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
 author: Florian Roth
 date: 2020/05/20
-modified: 2020/05/21
+modified: 2020/08/27
 tags:
    - attack.g0049
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+    - attack.command_and_control
+    - attack.t1105
+    - attack.defense_evasion
+    - attack.t1036  # an old one
+    - attack.t1036.005
 logsource:
    category: process_creation
    product: windows
@@ -5,14 +5,16 @@ references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 author: Florian Roth
 date: 2019/02/21
+modified: 2020/08/27
 tags:
    - attack.lateral_movement
    - attack.g0010
    - attack.credential_access
-    - attack.t1098
+    - attack.t1003 # an old one
+    - attack.t1003.001
    - attack.exfiltration
-    - attack.t1002
-    - attack.t1560
+    - attack.t1002 # an old one
+    - attack.t1560.001
 logsource:
    category: process_creation
    product: windows
@@ -7,8 +7,8 @@ references:
    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
 tags:
    - attack.g0004
-    - attack.t1059
-    - attack.t1089
+    - attack.defense_evasion
+    - attack.t1089 # an old one
    - attack.t1562.001
 author: Markus Neis, Swisscom 
 date: 2020/06/18
@@ -6,7 +6,7 @@ references:
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
 tags:
    - attack.defense_evasion
-    - attack.t1036
+    - attack.t1036 # an old one
    - attack.t1036.005
 author: Trent Liffick (@tliffick)
 date: 2020/06/03
@@ -3,12 +3,12 @@ title: Defrag Deactivation
 id: 958d81aa-8566-4cea-a565-59ccd4df27b0
 author: Florian Roth
 date: 2019/03/04
+modified: 2020/08/27
 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
 references:
    - https://securelist.com/apt-slingshot/84312/
 tags:
    - attack.persistence
-    - attack.t1053
    - attack.s0111
 detection:
    condition: 1 of them
@@ -3,6 +3,7 @@ id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
 author: Florian Roth
 status: experimental
 date: 2018/03/01
+modified: 2020/08/27
 description: Detects Trojan loader acitivty as used by APT28
 references:
    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
@@ -11,9 +12,10 @@ references:
 tags:
    - attack.g0007
    - attack.execution
-    - attack.t1059
+    - attack.t1059 # an old one
+    - attack.t1059.003
    - attack.defense_evasion
-    - attack.t1085
+    - attack.t1085 # an old one
    - car.2013-10-002
    - attack.t1218.011
 logsource:
@@ -6,10 +6,12 @@ references:
 tags:
    - attack.defense_evasion
    - attack.g0035
-    - attack.t1036
+    - attack.t1036 # an old one
+    - attack.t1036.003
    - car.2013-05-009
 author: Florian Roth
 date: 2017/10/22
+modified: 2020/08/27
 logsource:
    category: process_creation
    product: windows
@@ -8,6 +8,7 @@ author: Florian Roth
 date: 2020/07/30
 tags:
    - attack.execution
+    - attack.t1055 # an old one
    - attack.t1055.001
 logsource:
    category: process_creation
@@ -3,13 +3,14 @@ id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
 author: '@41thexplorer, Microsoft Defender ATP'
 status: stable
 date: 2019/11/12
+modified: 2020/08/27
 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
 references:
    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
 tags:
    - attack.execution
-    - attack.t1085
-    - attack.t1218.011
+    - attack.t1059 # an old one
+    - attack.t1059.001
 logsource:
    category: process_creation
    product: windows
@@ -10,12 +10,14 @@ tags:
    - attack.execution
    - attack.t1059
    - attack.lateral_movement
-    - attack.t1077
+    - attack.t1077 # an old one
+    - attack.t1021.002
    - attack.discovery
    - attack.t1083
    - attack.t1135
 author: Markus Neis
 date: 2017/11/07
+modified: 2020/08/27
 logsource:
    category: process_creation
    product: windows
@@ -7,14 +7,14 @@ references:
 tags:
    - attack.g0010
    - attack.execution
-    - attack.t1086
-    - attack.t1053
-    - attack.t1027
-    - attack.discovery
-    - attack.t1016
+    - attack.t1086 # an old one
    - attack.t1059.001
+    - attack.t1053 # an old one
+    - attack.t1053.005
+    - attack.t1027
 author: Florian Roth
 date: 2020/05/26
+modified: 2020/08/27
 logsource:
    category: process_creation
    product: windows
@@ -12,8 +12,8 @@ date: 2019/04/20
 modified: 2020/07/13
 tags:
    - attack.execution
-    - attack.t1086
    - attack.t1059.001
+    - attack.t1086          # an old one
 logsource:
    category: process_creation
    product: windows
@@ -22,9 +22,9 @@ fields:
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
-    - attack.t1088
-    - car.2019-04-001
    - attack.t1548.002
+    - attack.t1088      # an old one
+    - car.2019-04-001
 falsepositives:
    - unknown
 level: critical
@@ -9,8 +9,8 @@ date: 2018/09/03
 modified: 2019/12/16
 tags:
    - attack.execution
-    - attack.t1086
    - attack.t1059.001
+    - attack.t1086      # an old one
 logsource:
    category: process_creation
    product: windows
@@ -6,10 +6,10 @@ references:
    - https://twitter.com/0gtweet/status/1281103918693482496
 tags:
    - attack.execution
+    - attack.t1059.001
+    - attack.t1086      # an old one
    - attack.defense_evasion
    - attack.t1027
-    - attack.t1086
-    - attack.t1059.001
 author: Florian Roth
 date: 2020/07/09
 logsource:
@@ -6,8 +6,8 @@ references:
    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
 tags:
    - attack.execution
-    - attack.t1086
    - attack.t1059.001
+    - attack.t1086      # an old one
 author: John Lambert (rule)
 date: 2019/01/16
 logsource:
@@ -8,8 +8,8 @@ references:
    - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
 tags:
    - attack.execution
-    - attack.t1086
    - attack.t1059.001
+    - attack.t1086      # an old one
 logsource:
    category: process_creation
    product: windows
@@ -8,8 +8,8 @@ author: Teymur Kheirkhabarov, Harish Segar (rule)
 date: 2020/03/20
 tags:
    - attack.execution
-    - attack.t1086
    - attack.t1059.001
+    - attack.t1086      # an old one   
 logsource:
    category: process_creation
    product: windows
@@ -11,9 +11,9 @@ tags:
    - attack.defense_evasion
    - attack.t1036
    - attack.credential_access
-    - attack.t1003
-    - car.2013-05-009
    - attack.t1003.001
+    - attack.t1003      # an old one     
+    - car.2013-05-009
 logsource:
    category: process_creation
    product: windows
@@ -7,8 +7,8 @@ references:
    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
 tags:
    - attack.execution
-    - attack.t1086
    - attack.t1059.001
+    - attack.t1086      # an old one     
 author: Florian Roth
 date: 2019/01/09
 logsource:
@@ -5,11 +5,14 @@ description: Detects the execution of powershell, a WebClient object creation an
 references:
    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
 author: Florian Roth
-date: 2020/03/25
+date: 2020/08/28
 tags:
    - attack.execution
-    - attack.t1086
    - attack.t1059.001
+    - attack.t1086      # an old one     
+    - attack.command_and_control
+    - attack.t1104
+    - attack.t1105
 logsource:
    category: process_creation
    product: windows
@@ -7,10 +7,10 @@ references:
    - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
 author: Beyu Denis, oscd.community
 date: 2019/10/12
-modified: 2019/11/04
+modified: 2020/08/28
 tags:
-    - attack.persistence
-    - attack.t1218
+    - attack.collection
+    - attack.t1113
 level: medium
 logsource:
    category: process_creation
@@ -6,9 +6,13 @@ references:
    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
 author: '@ROxPinTeddy'
 date: 2020/05/12
+modified: 2020/08/28
 tags:
-    - attack.exfiltration
-    - attack.t1002
+    - attack.collection
+    - attack.t1560.001
+    - attack.exfiltration # an old one  
+    - attack.t1002        # an old one  
+
 logsource:
    category: process_creation
    product: windows
@@ -9,8 +9,8 @@ date: 2019/01/16
 tags:
    - attack.defense_evasion
    - attack.execution
-    - attack.t1064
    - attack.t1059
+    - attack.t1064      # an old one 
 logsource:
    category: process_creation
    product: windows
@@ -4,9 +4,12 @@ status: experimental
 description: Detects suspicious command line activity on Windows systems
 author: Florian Roth
 date: 2019/01/16
+modified: 2020/08/28
 tags:
    - attack.discovery
-    - attack.t1087
+    - attack.t1087.001
+    - attack.t1087.002
+    - attack.t1087      # an old one 
 logsource:
    category: process_creation
    product: windows
@@ -4,15 +4,17 @@ status: experimental
 description: Detects various anomalies in relation to regsvr32.exe
 author: Florian Roth
 date: 2019/01/16
+modified: 2020/08/28
 references:
    - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
 tags:
-    - attack.t1117
    - attack.defense_evasion
-    - attack.execution
+    - attack.t1218.010      
+    - attack.execution  # an old one  
+    - attack.t1117      # an old one  
    - car.2019-04-002
    - car.2019-04-003
-    - attack.t1218
+
 logsource:
    category: process_creation
    product: windows
@@ -7,9 +7,9 @@ date: 2019/07/13
 references:
    - https://twitter.com/sbousseaden/status/1282441816986484737?s=12
 tags:
-    - attack.t1117
    - attack.defense_evasion
    - attack.t1218.010
+    - attack.t1117      # an old one 
 logsource:
    category: process_creation
    product: windows
@@ -8,9 +8,13 @@ references:
    - https://twitter.com/gN3mes1s/status/1222095371175911424
 author: Florian Roth
 date: 2020/01/28
+modified: 2020/08/28
 tags:
    - attack.defense_evasion
-    - attack.t1055
+    - attack.t1036
+    - attack.t1055.001
+    - attack.t1202
+    - attack.t1218
 logsource:
    category: process_creation
    product: windows
@@ -8,9 +8,9 @@ references:
    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
 tags:
    - attack.defense_evasion
-    - attack.execution
-    - attack.t1085
+    - attack.execution  # an old one 
    - attack.t1218.011
+    - attack.t1085      # an old one 
 author: juju4
 date: 2019/01/16
 logsource:
@@ -8,9 +8,9 @@ references:
    - https://twitter.com/cyb3rops/status/1186631731543236608
 tags:
    - attack.defense_evasion
-    - attack.execution
-    - attack.t1085
+    - attack.execution  # an old one
    - attack.t1218.011
+    - attack.t1085      # an old one
 author: Florian Roth
 date: 2019/10/22
 logsource:
@@ -21,10 +21,10 @@ tags:
    - attack.execution
    - attack.persistence
    - attack.privilege_escalation
-    - attack.t1053
+    - attack.t1053.005
+    - attack.t1053     # an old one 
    - attack.s0111
    - car.2013-08-001
-    - attack.t1053.005
 falsepositives:
    - Administrative activity
    - Software installation
@@ -4,10 +4,12 @@ status: experimental
 description: Detects suspicious file execution by wscript and cscript
 author: Michael Haag
 date: 2019/01/16
+modified: 2020/08/28
 tags:
    - attack.execution
-    - attack.t1064
    - attack.t1059.005
+    - attack.t1059.007
+    - attack.t1064      # an old one     
 logsource:
    category: process_creation
    product: windows
@@ -6,10 +6,11 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
 tags:
    - attack.persistence
-    - attack.t1031
+    - attack.privilege_escalation
    - attack.t1543.003
+    - attack.t1031      # an old one     
 date: 2019/10/21
-modified: 2019/11/10
+modified: 2020/08/28
 author: Victor Sergeev, oscd.community
 logsource:
    category: process_creation
@@ -7,8 +7,11 @@ references:
    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
 tags:
    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218
 author: Karneades / Markus Neis
 date: 2019/11/12
+modified: 2020/08/28
 falsepositives:
    - 1Clipboard
    - Beaker Browser
@@ -4,9 +4,11 @@ status: experimental
 description: Detects a suspicious svchost process start
 tags:
    - attack.defense_evasion
-    - attack.t1036
+    - attack.t1036.005
+    - attack.t1036      # an old one
 author: Florian Roth
 date: 2017/08/15
+modified: 2020/08/28
 logsource:
    category: process_creation
    product: windows
@@ -6,8 +6,10 @@ references:
    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
 author: David Burkett
 date: 2019/12/28
-modified: 2020/07/23
+modified: 2020/08/28
 tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation    
    - attack.t1055
 logsource:
    category: process_creation
@@ -1,4 +1,4 @@
-title: Suspicious SYSVOL Domain Group Policy Access
+ title: Suspicious SYSVOL Domain Group Policy Access
 id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
 status: experimental
 description: Detects Access to Domain Group Policies stored in SYSVOL
@@ -7,10 +7,11 @@ references:
    - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
 author: Markus Neis
 date: 2018/04/09
-modified: 2018/12/11
+modified: 2020/08/28
 tags:
    - attack.credential_access
-    - attack.t1003
+    - attack.t1552.006
+    - attack.t1003      # an old one
 logsource:
    category: process_creation
    product: windows
@@ -5,6 +5,7 @@ author: Den Iuzvyk
 reference:
   - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
 date: 2020/07/15
+modified: 2020/08/26
 logsource:
   category: sysmon
   product: windows
@@ -12,7 +13,8 @@ status: experimental
 tags:
   - attack.defense_evasion
   - attack.privilege_escalation
-   - attack.t1073
+   - attack.t1073          # an old one
+   - attack.t1574.002
 detection:
   condition: selection_dll and not filter_legit
   selection_dll:
@@ -6,10 +6,12 @@ references:
    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
 tags:
    - attack.defense_evasion
-    - attack.t1027
+    - attack.t1027          # an old one
    - attack.s0139
+    - attack.t1564.004
 author: Florian Roth, @0xrawsec
 date: 2018/06/03
+modified: 2020/08/26
 logsource:
    product: windows
    service: sysmon
@@ -9,7 +9,7 @@ references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
 tags:
    - attack.execution
-    - attack.t1086
+    - attack.t1086          # an old one
    - attack.t1059.001
 logsource:
    product: windows
@@ -7,6 +7,7 @@ references:
 status: experimental
 author: '@SBousseaden (detection), Thomas Patzke (rule)'
 date: 2019/02/01
+modified: 2020/08/28
 logsource:
    product: windows
    service: sysmon
@@ -23,9 +24,14 @@ detection:
        StartModule: null
    condition: selection
 tags:
+    - attack.defense_evasion
+    - attack.t1093          # an old one
+    - attack.t1055.012
    - attack.execution
-    - attack.t1055
-    - attack.t1064
+    - attack.t1064          # an old one
+    - attack.t1059.005
+    - attack.t1059.007
+    - attack.t1218.005
 falsepositives:
    - unknown
 level: high
@@ -6,11 +6,13 @@ description: Detects various indicators of Microsoft Connection Manager Profile
 tags:
    - attack.defense_evasion
    - attack.execution
-    - attack.t1191
+    - attack.t1191          # an old one
+    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
 author: Nik Seetharaman
 date: 2018/07/16
+modified: 2020/08/28
 references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
 detection:
@@ -6,11 +6,12 @@ references:
    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 tags:
    - attack.defense_evasion
-    - attack.t1055
+    - attack.t1055          # an old one
+    - attack.t1055.001
 status: experimental
 author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
 date: 2018/11/30
-modified: 2019/11/08
+modified: 2020/08/28
 logsource:
    product: windows
    service: sysmon
@@ -3,13 +3,14 @@ id: 052ec6f6-1adc-41e6-907a-f1c813478bee
 description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
 status: experimental
 date: 2019/08/11
-modified: 2019/11/10
+modified: 2020/08/28
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
 tags:
    - attack.defense_evasion
-    - attack.t1055
+    - attack.t1055          # an old one
+    - attack.t1055.001
 logsource:
    product: windows
    service: sysmon
@@ -3,14 +3,16 @@ id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
 description: Detects well-known credential dumping tools execution via specific named pipes
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/11/01
+modified: 2020/08/28
 references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
    - attack.credential_access
-    - attack.t1003
+    - attack.t1003          # an old one
+    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
-    - attack.t1003.006
+    - attack.t1003.005
 logsource:
    product: windows
    service: sysmon
@@ -17,7 +17,7 @@ detection:
    condition: selection
 tags:
    - attack.credential_access
-    - attack.t1003
+    - attack.t1003          # an old one
    - attack.s0005
    - attack.t1003.001
 falsepositives:
@@ -3,14 +3,13 @@ id: eb07e747-2552-44cd-af36-b659ae0958e4
 status: experimental
 description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
 date: 2019/10/25
-modified: 2019/11/13
+modified: 2020/08/28
 author: Ilyas Ochkov, oscd.community
 references:
    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
 tags:
-    - attack.command_and_control
-    - attack.t1043
-    - attack.t1571
+    - attack.initial_access
+    - attack.t1189
 logsource:
    product: windows
    service: sysmon
@@ -18,9 +18,9 @@ detection:
 tags:
    - attack.defense_evasion
    - attack.execution
-    - attack.t1085
-    - attack.t1086
+    - attack.t1085          # an old one
    - attack.t1218.011
+    - attack.t1086          # an old one
    - attack.t1059.001
 falsepositives:
    - Unkown
@@ -7,7 +7,7 @@ notes:
    - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
 status: experimental
 date: 2019/10/27
-modified: 2019/11/13
+modified: 2020/08/28
 author: Perez Diego (@darkquassar), oscd.community
 references:
    - Personal research, statistical analysis
@@ -17,6 +17,7 @@ logsource:
    service: sysmon
 tags:
    - attack.privilege_escalation
+    - attack.defense_evasion
    - attack.t1055
 detection:
    selection: 
@@ -2,10 +2,8 @@ title: WMI Event Subscription
 id: 0f06a3a5-6a09-413f-8743-e6cf35561297
 status: experimental
 description: Detects creation of WMI event subscription persistence method
-references:
-    - https://attack.mitre.org/techniques/T1084/
 tags:
-    - attack.t1084
+    - attack.t1084          # an old one
    - attack.persistence
    - attack.t1546.003
 author: Tom Ueltschi (@c_APT_ure)
@@ -8,7 +8,7 @@ references:
    - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
 date: 2019/04/15
 tags:
-    - attack.t1086
+    - attack.t1086          # an old one
    - attack.execution
    - attack.t1059.005
 logsource: