diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index dff6bbf3e..e8bb866a4 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -7,7 +7,7 @@ references: date: 2019/05/12 tags: - attack.s0003 - - attack.t1156 + - attack.t1156 # an old one - attack.persistence - attack.t1546.004 author: Peter Matkovski diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index d9fb2e403..ef36ca7cb 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -10,7 +10,7 @@ references: - self experience tags: - attack.defense_evasion - - attack.t1054 + - attack.t1054 # an old one - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 14be30c03..f3ac6df9c 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -1,12 +1,13 @@ title: Creation Of An User Account id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 status: experimental -description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" +description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" references: - 'MITRE Attack technique T1136; Create Account ' date: 2020/05/18 tags: - - attack.t1136 + - attack.t1136 # an old one + - attack.t1136.001 - attack.persistence author: Marie Euler logsource: diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index b456805b1..1657563b6 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -9,7 +9,7 @@ references: - self experience tags: - attack.defense_evasion - - attack.t1054 + - attack.t1054 # an old one - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml index 11972f4d5..7d1a67003 100644 --- a/rules/linux/lnx_susp_named.yml +++ b/rules/linux/lnx_susp_named.yml @@ -4,6 +4,9 @@ status: experimental description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml +tags: + - attack.initial_access + - attack.t1190 author: Florian Roth date: 2018/02/20 logsource: @@ -18,4 +21,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index 6001335f5..d9044d60b 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -4,6 +4,9 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal references: - https://github.com/openssh/openssh-portable/blob/master/ssherr.c - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml +tags: + - attack.initial_access + - attack.t1190 author: Florian Roth date: 2017/06/30 modified: 2020/05/15 @@ -27,4 +30,3 @@ detection: falsepositives: - Unknown level: medium - diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index 3fb3eaf9a..90de6e767 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -3,6 +3,9 @@ id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/dagwieers/vsftpd/ +tags: + - attack.initial_access + - attack.t1190 author: Florian Roth date: 2017/07/05 logsource: diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 2092f242c..b2bb4e3f3 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -8,6 +8,14 @@ references: - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/ author: Patrick Bareiss date: 2019/04/07 +modified: 2020/08/27 +tags: + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 + - attack.exfiltration + - attack.t1048 # an old one + - attack.t1048.003 logsource: category: dns detection: @@ -17,6 +25,3 @@ detection: falsepositives: - Valid software, which uses dns for transferring data level: high -tags: - - attack.t1048 - - attack.exfiltration diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml index d7dfefe03..105c05f58 100644 --- a/rules/network/net_high_dns_bytes_out.yml +++ b/rules/network/net_high_dns_bytes_out.yml @@ -5,9 +5,11 @@ description: High DNS queries bytes amount from host per short period of time status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 +modified: 2020/08/27 tags: - attack.exfiltration - - attack.t1048 + - attack.t1048 # an old one + - attack.t1048.003 falsepositives: - Legitimate high DNS bytes out rate to domain name which should be added to whitelist level: medium diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml index 0301e9a03..971fac787 100644 --- a/rules/network/net_high_dns_requests_rate.yml +++ b/rules/network/net_high_dns_requests_rate.yml @@ -5,9 +5,14 @@ description: High DNS requests amount from host per short period of time status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 +modified: 2020/08/27 tags: - attack.exfiltration - - attack.t1048 + - attack.t1048 # an old one + - attack.t1048.003 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 falsepositives: - Legitimate high DNS requests rate to domain name which should be added to whitelist level: medium diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml index 53e314728..fc1a40c36 100644 --- a/rules/network/net_high_null_records_requests_rate.yml +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -4,9 +4,14 @@ description: Extremely high rate of NULL record type DNS requests from host per status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 +modified: 2020/08/27 tags: - attack.exfiltration - - attack.t1048 + - attack.t1048 # an old one + - attack.t1048.003 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 logsource: category: dns detection: diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml index 11d66ffd6..17a4ae7e0 100644 --- a/rules/network/net_high_txt_records_requests_rate.yml +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -4,9 +4,14 @@ description: Extremely high rate of TXT record type DNS requests from host per s status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 +modified: 2020/08/27 tags: - attack.exfiltration - - attack.t1048 + - attack.t1048 # an old one + - attack.t1048.003 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 logsource: category: dns detection: diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 91cb4a9c9..ed4fabf02 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -6,6 +6,11 @@ references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns author: Florian Roth date: 2018/05/10 +modified: 2020/08/27 +tags: + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 logsource: category: dns detection: diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index b1abba07c..1c8613f95 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -6,6 +6,14 @@ references: - https://github.com/krmaxwell/dns-exfiltration author: Florian Roth date: 2018/05/10 +modified: 2020/08/27 +tags: + - attack.exfiltration + - attack.t1048 # an old one + - attack.t1048.003 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 logsource: category: dns detection: diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 95492f1b2..ef64227eb 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -6,10 +6,12 @@ references: - https://twitter.com/stvemillertime/status/1024707932447854592 - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 tags: - - attack.t1071 + - attack.command_and_control + - attack.t1071 # an old one - attack.t1071.004 author: Markus Neis date: 2018/08/08 +modified: 2020/08/27 logsource: category: dns detection: diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index d0e0e4798..29e48eec5 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -3,6 +3,10 @@ id: fab0ddf0-b8a9-4d70-91ce-a20547209afb description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke date: 2017/02/19 +modified: 2020/08/27 +tags: + - attack.discovery + - attack.t1046 logsource: category: firewall detection: diff --git a/rules/network/net_susp_telegram_api.yml b/rules/network/net_susp_telegram_api.yml index 66194485e..6e92f63a8 100644 --- a/rules/network/net_susp_telegram_api.yml +++ b/rules/network/net_susp_telegram_api.yml @@ -9,6 +9,11 @@ references: - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ author: Florian Roth date: 2018/06/05 +modified: 2020/08/27 +tags: + - attack.command_and_control + - attack.t1102 # an old one + - attack.t1102.002 logsource: category: dns detection: diff --git a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml index f5b6e57dd..a9e9778d6 100644 --- a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml @@ -9,7 +9,7 @@ references: - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html tags: - attack.command_and_control - - attack.t1071 + - attack.t1071 # an old one - attack.t1071.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml index 1c8a22347..8981fa873 100644 --- a/rules/windows/process_creation/sysmon_hack_wce.yml +++ b/rules/windows/process_creation/sysmon_hack_wce.yml @@ -5,10 +5,11 @@ author: Florian Roth references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ date: 2019/12/31 -modified: 2020/07/01 +modified: 2020/08/26 tags: - attack.credential_access - - attack.t1003 + - attack.t1003 # an old one + - attack.t1003.001 - attack.s0005 logsource: category: process_creation diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index f1ec0c66b..2b158b3a3 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -5,13 +5,12 @@ description: Detects creation or execution of UserInitMprLogonScript persistence references: - https://attack.mitre.org/techniques/T1037/ tags: - - attack.t1037 + - attack.t1037 # an old one - attack.t1037.001 - attack.persistence - - attack.lateral_movement author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 -modified: 2020/07/01 +modified: 2020/08/26 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index d4f122923..0e60a088c 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -6,10 +6,12 @@ references: tags: - attack.execution - attack.g0016 - - attack.t1086 + - attack.t1086 # an old one + - attack.t1059 # an old one - attack.t1059.001 author: Florian Roth date: 2018/12/04 +modified: 2020/08/26 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml index cf40e92fd..97fd7e1cc 100644 --- a/rules/windows/process_creation/win_apt_babyshark.yml +++ b/rules/windows/process_creation/win_apt_babyshark.yml @@ -6,20 +6,22 @@ references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ tags: - attack.execution - - attack.t1059 - - attack.t1086 + - attack.t1059 # an old one + - attack.t1086 # an old one + - attack.t1059.003 + - attack.t1059.001 - attack.discovery - attack.t1012 - attack.defense_evasion - - attack.t1170 - - attack.t1218 - - attack.t1059.003 - - attack.t1059.001 + - attack.t1170 # an old one + - attack.t1218 # an old one + - attack.t1218.005 logsource: category: process_creation product: windows author: Florian Roth date: 2019/02/24 +modified: 2020/08/26 detection: selection: CommandLine: diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index d629b4913..ec6dbff16 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -5,11 +5,13 @@ references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth date: 2019/02/21 +modified: 2020/08/26 tags: - attack.credential_access - - attack.t1081 - - attack.t1003 + - attack.t1081 # an old one + - attack.t1003 # an old one - attack.t1552.001 + - attack.t1003.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index ab58aaff7..ba271c720 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -6,7 +6,7 @@ references: - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software tags: - attack.defense_evasion - - attack.t1117 + - attack.t1117 # an old one - attack.t1218.010 author: Florian Roth date: 2019/10/02 diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index 2ed718dbe..1662eac37 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -7,12 +7,18 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 + - attack.t1053 # an old one + - attack.t1053.005 - attack.s0111 + - attack.t1050 # an old one + - attack.t1543.003 - attack.defense_evasion - attack.t1112 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 date: 2018/03/23 -modified: 2019/03/01 +modified: 2020/08/26 author: Florian Roth, Markus Neis detection: condition: 1 of them diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 51a72fe6e..f6cde4853 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -8,7 +8,7 @@ references: tags: - attack.execution - attack.g0045 - - attack.t1064 + - attack.t1064 # an old one - attack.t1059.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index 1355f43aa..e392bbd7c 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -8,8 +8,12 @@ tags: - attack.g0030 - attack.g0050 - attack.s0081 + - attack.execution + - attack.t1059 # an old one + - attack.t1059.003 author: Florian Roth date: 2018/01/31 +modified: 2020/08/26 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml index 5a21841ca..06a42220d 100644 --- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml @@ -5,8 +5,13 @@ description: Detects the execution of DLL side-loading malware used by threat gr references: - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 - https://twitter.com/cyb3rops/status/1168863899531132929 +tags: + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1574.002 author: Florian Roth date: 2018/09/03 +modified: 2020/08/27 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index fbace0802..4aa084419 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -5,10 +5,11 @@ description: Detects EmpireMonkey APT reported Activity references: - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b tags: - - attack.t1086 - - attack.t1059.001 - - attack.execution + - attack.defense_evasion + - attack.t1218.010 + - attack.t1117 # an old one date: 2019/04/02 +modified: 2020/08/27 author: Markus Neis detection: condition: 1 of them diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 2cb176b29..6eedefb4a 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -2,17 +2,16 @@ title: Equation Group DLL_U Load id: d465d1d8-27a2-4cca-9621-a800f37cf72e author: Florian Roth date: 2019/03/04 +modified: 2020/08/27 description: Detects a specific tool and export used by EquationGroup references: - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://securelist.com/apt-slingshot/84312/ - https://twitter.com/cyb3rops/status/972186477512839170 tags: - - attack.execution - attack.g0020 - - attack.t1059 - attack.defense_evasion - - attack.t1085 + - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml index 2a469e904..da8c4c04f 100644 --- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -7,6 +7,11 @@ references: - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ author: Florian Roth date: 2020/07/10 +modified: 2020/08/27 +tags: + - attack.defense_evasion + - attack.t1085 # an old one + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index 8c630baa5..f56288f7f 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -6,9 +6,17 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia author: Florian Roth date: 2020/05/20 -modified: 2020/05/21 +modified: 2020/08/27 tags: - attack.g0049 + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one + - attack.command_and_control + - attack.t1105 + - attack.defense_evasion + - attack.t1036 # an old one + - attack.t1036.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index e781f65bb..ca9d2189e 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -5,14 +5,16 @@ references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth date: 2019/02/21 +modified: 2020/08/27 tags: - attack.lateral_movement - attack.g0010 - attack.credential_access - - attack.t1098 + - attack.t1003 # an old one + - attack.t1003.001 - attack.exfiltration - - attack.t1002 - - attack.t1560 + - attack.t1002 # an old one + - attack.t1560.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml index 84bacc8fc..1a7726dfe 100644 --- a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml @@ -7,8 +7,8 @@ references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ tags: - attack.g0004 - - attack.t1059 - - attack.t1089 + - attack.defense_evasion + - attack.t1089 # an old one - attack.t1562.001 author: Markus Neis, Swisscom date: 2020/06/18 diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 299c767e1..ce5e14cc3 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -6,7 +6,7 @@ references: - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf tags: - attack.defense_evasion - - attack.t1036 + - attack.t1036 # an old one - attack.t1036.005 author: Trent Liffick (@tliffick) date: 2020/06/03 diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 723eba626..7a2ecc297 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -3,12 +3,12 @@ title: Defrag Deactivation id: 958d81aa-8566-4cea-a565-59ccd4df27b0 author: Florian Roth date: 2019/03/04 +modified: 2020/08/27 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group references: - https://securelist.com/apt-slingshot/84312/ tags: - attack.persistence - - attack.t1053 - attack.s0111 detection: condition: 1 of them diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index 2124e236e..6daeed46b 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -3,6 +3,7 @@ id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 author: Florian Roth status: experimental date: 2018/03/01 +modified: 2020/08/27 description: Detects Trojan loader acitivty as used by APT28 references: - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ @@ -11,9 +12,10 @@ references: tags: - attack.g0007 - attack.execution - - attack.t1059 + - attack.t1059 # an old one + - attack.t1059.003 - attack.defense_evasion - - attack.t1085 + - attack.t1085 # an old one - car.2013-10-002 - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml index 2cf87531a..1fa44f000 100755 --- a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml @@ -6,10 +6,12 @@ references: tags: - attack.defense_evasion - attack.g0035 - - attack.t1036 + - attack.t1036 # an old one + - attack.t1036.003 - car.2013-05-009 author: Florian Roth date: 2017/10/22 +modified: 2020/08/27 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_taidoor.yml b/rules/windows/process_creation/win_apt_taidoor.yml index a64bf77fd..45b38a584 100644 --- a/rules/windows/process_creation/win_apt_taidoor.yml +++ b/rules/windows/process_creation/win_apt_taidoor.yml @@ -8,6 +8,7 @@ author: Florian Roth date: 2020/07/30 tags: - attack.execution + - attack.t1055 # an old one - attack.t1055.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 7bf80dfb5..9cfbe54c6 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -3,13 +3,14 @@ id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 author: '@41thexplorer, Microsoft Defender ATP' status: stable date: 2019/11/12 +modified: 2020/08/27 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ tags: - attack.execution - - attack.t1085 - - attack.t1218.011 + - attack.t1059 # an old one + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_turla_commands.yml b/rules/windows/process_creation/win_apt_turla_commands.yml index 2ccc6fc27..dc84c4327 100755 --- a/rules/windows/process_creation/win_apt_turla_commands.yml +++ b/rules/windows/process_creation/win_apt_turla_commands.yml @@ -10,12 +10,14 @@ tags: - attack.execution - attack.t1059 - attack.lateral_movement - - attack.t1077 + - attack.t1077 # an old one + - attack.t1021.002 - attack.discovery - attack.t1083 - attack.t1135 author: Markus Neis date: 2017/11/07 +modified: 2020/08/27 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index 23bfc1823..f742d136c 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -7,14 +7,14 @@ references: tags: - attack.g0010 - attack.execution - - attack.t1086 - - attack.t1053 - - attack.t1027 - - attack.discovery - - attack.t1016 + - attack.t1086 # an old one - attack.t1059.001 + - attack.t1053 # an old one + - attack.t1053.005 + - attack.t1027 author: Florian Roth date: 2020/05/26 +modified: 2020/08/27 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 84d9adf13..3859866a1 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -12,8 +12,8 @@ date: 2019/04/20 modified: 2020/07/13 tags: - attack.execution - - attack.t1086 - attack.t1059.001 + - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index 493e7220d..de818f0f2 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -22,9 +22,9 @@ fields: tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1088 - - car.2019-04-001 - attack.t1548.002 + - attack.t1088 # an old one + - car.2019-04-001 falsepositives: - unknown level: critical diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index feb5a72dc..e12289fc3 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -9,8 +9,8 @@ date: 2018/09/03 modified: 2019/12/16 tags: - attack.execution - - attack.t1086 - attack.t1059.001 + - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml index 88c0107ef..d6c51267f 100644 --- a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml +++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/0gtweet/status/1281103918693482496 tags: - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one - attack.defense_evasion - attack.t1027 - - attack.t1086 - - attack.t1059.001 author: Florian Roth date: 2020/07/09 logsource: diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 417c37dcf..d004c1e13 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -6,8 +6,8 @@ references: - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ tags: - attack.execution - - attack.t1086 - attack.t1059.001 + - attack.t1086 # an old one author: John Lambert (rule) date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index dfb15868a..7ddebda00 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -8,8 +8,8 @@ references: - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ tags: - attack.execution - - attack.t1086 - attack.t1059.001 + - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index 018e510b8..b58535be5 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -8,8 +8,8 @@ author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/03/20 tags: - attack.execution - - attack.t1086 - attack.t1059.001 + - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index bfa3d6ff1..9a90a1c77 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -11,9 +11,9 @@ tags: - attack.defense_evasion - attack.t1036 - attack.credential_access - - attack.t1003 - - car.2013-05-009 - attack.t1003.001 + - attack.t1003 # an old one + - car.2013-05-009 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index 13c16b3ac..b110943c1 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -7,8 +7,8 @@ references: - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 tags: - attack.execution - - attack.t1086 - attack.t1059.001 + - attack.t1086 # an old one author: Florian Roth date: 2019/01/09 logsource: diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml index f2440a8ae..088ae8e47 100644 --- a/rules/windows/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml @@ -5,11 +5,14 @@ description: Detects the execution of powershell, a WebClient object creation an references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html author: Florian Roth -date: 2020/03/25 +date: 2020/08/28 tags: - attack.execution - - attack.t1086 - attack.t1059.001 + - attack.t1086 # an old one + - attack.command_and_control + - attack.t1104 + - attack.t1105 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml index f72593ed8..cae1a0a4f 100644 --- a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -7,10 +7,10 @@ references: - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf author: Beyu Denis, oscd.community date: 2019/10/12 -modified: 2019/11/04 +modified: 2020/08/28 tags: - - attack.persistence - - attack.t1218 + - attack.collection + - attack.t1113 level: medium logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml index 3ae37c20c..67e7d2e28 100644 --- a/rules/windows/process_creation/win_susp_rar_flags.yml +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -6,9 +6,13 @@ references: - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/ author: '@ROxPinTeddy' date: 2020/05/12 +modified: 2020/08/28 tags: - - attack.exfiltration - - attack.t1002 + - attack.collection + - attack.t1560.001 + - attack.exfiltration # an old one + - attack.t1002 # an old one + logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 017592696..f3aadc493 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -9,8 +9,8 @@ date: 2019/01/16 tags: - attack.defense_evasion - attack.execution - - attack.t1064 - attack.t1059 + - attack.t1064 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml index e85a02859..74d50f3d5 100644 --- a/rules/windows/process_creation/win_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -4,9 +4,12 @@ status: experimental description: Detects suspicious command line activity on Windows systems author: Florian Roth date: 2019/01/16 +modified: 2020/08/28 tags: - attack.discovery - - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 + - attack.t1087 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index a19bdbf7d..b4e4cc09b 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -4,15 +4,17 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth date: 2019/01/16 +modified: 2020/08/28 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html tags: - - attack.t1117 - attack.defense_evasion - - attack.execution + - attack.t1218.010 + - attack.execution # an old one + - attack.t1117 # an old one - car.2019-04-002 - car.2019-04-003 - - attack.t1218 + logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml index f0064816b..4af3cb4d3 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -7,9 +7,9 @@ date: 2019/07/13 references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 tags: - - attack.t1117 - attack.defense_evasion - attack.t1218.010 + - attack.t1117 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_renamed_dctask64.yml b/rules/windows/process_creation/win_susp_renamed_dctask64.yml index 53a3ea172..b1c1adffc 100644 --- a/rules/windows/process_creation/win_susp_renamed_dctask64.yml +++ b/rules/windows/process_creation/win_susp_renamed_dctask64.yml @@ -8,9 +8,13 @@ references: - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth date: 2020/01/28 +modified: 2020/08/28 tags: - attack.defense_evasion - - attack.t1055 + - attack.t1036 + - attack.t1055.001 + - attack.t1202 + - attack.t1218 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index a7dedd202..5e810d444 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -8,9 +8,9 @@ references: - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 tags: - attack.defense_evasion - - attack.execution - - attack.t1085 + - attack.execution # an old one - attack.t1218.011 + - attack.t1085 # an old one author: juju4 date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 0867f34b8..584e5f49e 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -8,9 +8,9 @@ references: - https://twitter.com/cyb3rops/status/1186631731543236608 tags: - attack.defense_evasion - - attack.execution - - attack.t1085 + - attack.execution # an old one - attack.t1218.011 + - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 logsource: diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 9a33912af..491f18dd0 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -21,10 +21,10 @@ tags: - attack.execution - attack.persistence - attack.privilege_escalation - - attack.t1053 + - attack.t1053.005 + - attack.t1053 # an old one - attack.s0111 - car.2013-08-001 - - attack.t1053.005 falsepositives: - Administrative activity - Software installation diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 2e7ad48da..d16346b10 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -4,10 +4,12 @@ status: experimental description: Detects suspicious file execution by wscript and cscript author: Michael Haag date: 2019/01/16 +modified: 2020/08/28 tags: - attack.execution - - attack.t1064 - attack.t1059.005 + - attack.t1059.007 + - attack.t1064 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index 6e6504ba3..e04dd5d7c 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -6,10 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml tags: - attack.persistence - - attack.t1031 + - attack.privilege_escalation - attack.t1543.003 + - attack.t1031 # an old one date: 2019/10/21 -modified: 2019/11/10 +modified: 2020/08/28 author: Victor Sergeev, oscd.community logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index d997cd09c..b07788187 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -7,8 +7,11 @@ references: - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ tags: - attack.execution + - attack.defense_evasion + - attack.t1218 author: Karneades / Markus Neis date: 2019/11/12 +modified: 2020/08/28 falsepositives: - 1Clipboard - Beaker Browser diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 158e21905..717a7bea2 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -4,9 +4,11 @@ status: experimental description: Detects a suspicious svchost process start tags: - attack.defense_evasion - - attack.t1036 + - attack.t1036.005 + - attack.t1036 # an old one author: Florian Roth date: 2017/08/15 +modified: 2020/08/28 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_svchost_no_cli.yml b/rules/windows/process_creation/win_susp_svchost_no_cli.yml index 4da570b7e..9094eec7b 100644 --- a/rules/windows/process_creation/win_susp_svchost_no_cli.yml +++ b/rules/windows/process_creation/win_susp_svchost_no_cli.yml @@ -6,8 +6,10 @@ references: - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett date: 2019/12/28 -modified: 2020/07/23 +modified: 2020/08/28 tags: + - attack.defense_evasion + - attack.privilege_escalation - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 0e6fb1a91..810684f87 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -1,4 +1,4 @@ -title: Suspicious SYSVOL Domain Group Policy Access + title: Suspicious SYSVOL Domain Group Policy Access id: 05f3c945-dcc8-4393-9f3d-af65077a8f86 status: experimental description: Detects Access to Domain Group Policies stored in SYSVOL @@ -7,10 +7,11 @@ references: - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 author: Markus Neis date: 2018/04/09 -modified: 2018/12/11 +modified: 2020/08/28 tags: - attack.credential_access - - attack.t1003 + - attack.t1552.006 + - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml index 2a25beefd..69f18bf0a 100644 --- a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml +++ b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml @@ -5,6 +5,7 @@ author: Den Iuzvyk reference: - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 date: 2020/07/15 +modified: 2020/08/26 logsource: category: sysmon product: windows @@ -12,7 +13,8 @@ status: experimental tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1073 + - attack.t1073 # an old one + - attack.t1574.002 detection: condition: selection_dll and not filter_legit selection_dll: diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml index dbb055ad0..7eaed87c7 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/sysmon/sysmon_ads_executable.yml @@ -6,10 +6,12 @@ references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 tags: - attack.defense_evasion - - attack.t1027 + - attack.t1027 # an old one - attack.s0139 + - attack.t1564.004 author: Florian Roth, @0xrawsec date: 2018/06/03 +modified: 2020/08/26 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml index da710320d..4e064bc8e 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -9,7 +9,7 @@ references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md tags: - attack.execution - - attack.t1086 + - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index 676d077ae..9b8b5ec95 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -7,6 +7,7 @@ references: status: experimental author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019/02/01 +modified: 2020/08/28 logsource: product: windows service: sysmon @@ -23,9 +24,14 @@ detection: StartModule: null condition: selection tags: + - attack.defense_evasion + - attack.t1093 # an old one + - attack.t1055.012 - attack.execution - - attack.t1055 - - attack.t1064 + - attack.t1064 # an old one + - attack.t1059.005 + - attack.t1059.007 + - attack.t1218.005 falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml index c6154de44..5bf2897cf 100644 --- a/rules/windows/sysmon/sysmon_cmstp_execution.yml +++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml @@ -6,11 +6,13 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.execution - - attack.t1191 + - attack.t1191 # an old one + - attack.t1218.003 - attack.g0069 - car.2019-04-001 author: Nik Seetharaman date: 2018/07/16 +modified: 2020/08/28 references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ detection: diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml index ab600b30e..e2b972247 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml @@ -6,11 +6,12 @@ references: - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - attack.defense_evasion - - attack.t1055 + - attack.t1055 # an old one + - attack.t1055.001 status: experimental author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community date: 2018/11/30 -modified: 2019/11/08 +modified: 2020/08/28 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml index 5c560981a..bf831b326 100644 --- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml @@ -3,13 +3,14 @@ id: 052ec6f6-1adc-41e6-907a-f1c813478bee description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process status: experimental date: 2019/08/11 -modified: 2019/11/10 +modified: 2020/08/28 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md tags: - attack.defense_evasion - - attack.t1055 + - attack.t1055 # an old one + - attack.t1055.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml index 78c45714f..393aa87b3 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml @@ -3,14 +3,16 @@ id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e description: Detects well-known credential dumping tools execution via specific named pipes author: Teymur Kheirkhabarov, oscd.community date: 2019/11/01 +modified: 2020/08/28 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - - attack.t1003 + - attack.t1003 # an old one + - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - - attack.t1003.006 + - attack.t1003.005 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index c17ba4e93..a8d8db9b7 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -17,7 +17,7 @@ detection: condition: selection tags: - attack.credential_access - - attack.t1003 + - attack.t1003 # an old one - attack.s0005 - attack.t1003.001 falsepositives: diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml index 6070a6738..5284ec125 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -3,14 +3,13 @@ id: eb07e747-2552-44cd-af36-b659ae0958e4 status: experimental description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). date: 2019/10/25 -modified: 2019/11/13 +modified: 2020/08/28 author: Ilyas Ochkov, oscd.community references: - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 tags: - - attack.command_and_control - - attack.t1043 - - attack.t1571 + - attack.initial_access + - attack.t1189 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml index d989a010e..652da06fa 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml @@ -18,9 +18,9 @@ detection: tags: - attack.defense_evasion - attack.execution - - attack.t1085 - - attack.t1086 + - attack.t1085 # an old one - attack.t1218.011 + - attack.t1086 # an old one - attack.t1059.001 falsepositives: - Unkown diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml index 00d51a6a7..fe2dee61a 100644 --- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml @@ -7,7 +7,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2019/11/13 +modified: 2020/08/28 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -17,6 +17,7 @@ logsource: service: sysmon tags: - attack.privilege_escalation + - attack.defense_evasion - attack.t1055 detection: selection: diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml index 6862faf3e..df6b6e440 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml @@ -2,10 +2,8 @@ title: WMI Event Subscription id: 0f06a3a5-6a09-413f-8743-e6cf35561297 status: experimental description: Detects creation of WMI event subscription persistence method -references: - - https://attack.mitre.org/techniques/T1084/ tags: - - attack.t1084 + - attack.t1084 # an old one - attack.persistence - attack.t1546.003 author: Tom Ueltschi (@c_APT_ure) diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml index ad5c41329..e1f150b77 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml @@ -8,7 +8,7 @@ references: - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19 date: 2019/04/15 tags: - - attack.t1086 + - attack.t1086 # an old one - attack.execution - attack.t1059.005 logsource: