diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv
index 5b36cab65..7417d5035 100644
--- a/.github/workflows/known-FPs.csv
+++ b/.github/workflows/known-FPs.csv
@@ -39,3 +39,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe
949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon
+fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml
index ed6ddcc02..3acc5d8f0 100644
--- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml
+++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml
@@ -26,7 +26,7 @@ detection:
falsepositives:
- Not using a PAW/SAW in the environment
tags:
- - attack.valid_accounts
+ - attack.defense_evasion
- attack.privilege_escalation
- attack.t1078
level: high
diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml
index 8f6aab6f7..7949f61dd 100644
--- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml
+++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml
@@ -22,6 +22,6 @@ detection:
falsepositives:
- A legit admin not following proper processes
tags:
- - attack.valid_accounts
+ - attack.defense_evasion
- attack.t1078
level: high
diff --git a/rules/application/antivirus/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml
index 7b7f9a977..c5eb0a830 100644
--- a/rules/application/antivirus/av_hacktool.yml
+++ b/rules/application/antivirus/av_hacktool.yml
@@ -1,11 +1,15 @@
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
+status: test
description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
-status: experimental
-date: 2021/08/16
-author: Florian Roth
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
+author: Florian Roth
+date: 2021/08/16
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.t1204
logsource:
category: antivirus
detection:
@@ -18,12 +22,9 @@ detection:
- Signature|contains:
- 'Hacktool'
condition: selection
-fields:
- - FileName
- - User
falsepositives:
- Unlikely
level: high
-tags:
- - attack.execution
- - attack.t1204
+fields:
+ - FileName
+ - User
diff --git a/rules/apt/apt_silence_eda.yml b/rules/apt/apt_silence_eda.yml
index 8f4d5ef82..e623df577 100644
--- a/rules/apt/apt_silence_eda.yml
+++ b/rules/apt/apt_silence_eda.yml
@@ -1,41 +1,45 @@
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
-description: Detects Silence empireDNSagent
+description: Detects Silence EmpireDNSAgent as described in the Group-IP report
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019/11/01
-modified: 2021/11/27
+modified: 2022/10/05
+references:
+ - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
logsource:
- product: windows
- service: powershell
+ product: windows
+ service: powershell
detection:
- empire:
- ScriptBlockText|contains|all: # better to randomise the order
- - 'System.Diagnostics.Process'
- - 'Stop-Computer'
- - 'Restart-Computer'
- - 'Exception in execution'
- - '$cmdargs'
- - 'Close-Dnscat2Tunnel'
- dnscat:
- ScriptBlockText|contains|all: # better to randomise the order
- - 'set type=$LookupType`nserver'
- - '$Command | nslookup 2>&1 | Out-String'
- - 'New-RandomDNSField'
- - '[Convert]::ToString($SYNOptions, 16)'
- - '$Session.Dead = $True'
- - '$Session["Driver"] -eq'
- condition: empire and dnscat
+ empire:
+ # better to randomise the order
+ ScriptBlockText|contains|all:
+ - 'System.Diagnostics.Process'
+ - 'Stop-Computer'
+ - 'Restart-Computer'
+ - 'Exception in execution'
+ - '$cmdargs'
+ - 'Close-Dnscat2Tunnel'
+ dnscat:
+ # better to randomise the order
+ ScriptBlockText|contains|all:
+ - 'set type=$LookupType`nserver'
+ - '$Command | nslookup 2>&1 | Out-String'
+ - 'New-RandomDNSField'
+ - '[Convert]::ToString($SYNOptions, 16)'
+ - '$Session.Dead = $True'
+ - '$Session["Driver"] -eq'
+ condition: empire and dnscat
falsepositives:
- - Unknown
+ - Unknown
level: critical
tags:
- - attack.execution
- - attack.t1059.001
- - attack.command_and_control
- - attack.t1071.004
- - attack.t1572
- - attack.impact
- - attack.t1529
- - attack.g0091
- - attack.s0363
+ - attack.execution
+ - attack.t1059.001
+ - attack.command_and_control
+ - attack.t1071.004
+ - attack.t1572
+ - attack.impact
+ - attack.t1529
+ - attack.g0091
+ - attack.s0363
diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml
index 8512640c3..150ebfa42 100644
--- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml
+++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml
@@ -1,11 +1,14 @@
title: AWS Attached Malicious Lambda Layer
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
+status: test
description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
-author: Austin Songer
-status: experimental
-date: 2021/09/23
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
+author: Austin Songer
+date: 2021/09/23
+modified: 2022/10/09
+tags:
+ - attack.privilege_escalation
logsource:
product: aws
service: cloudtrail
@@ -14,9 +17,7 @@ detection:
eventSource: lambda.amazonaws.com
eventName|startswith: 'UpdateFunctionConfiguration'
condition: selection
-level: medium
-tags:
- - attack.privilege_escalation
falsepositives:
- - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml
index 965007fc9..eeae3dc7a 100644
--- a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml
+++ b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml
@@ -1,12 +1,15 @@
title: AWS CloudTrail Important Change
id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
-status: experimental
+status: test
description: Detects disabling, deleting and updating of a Trail
-author: vitaliy0x1
-date: 2020/01/21
-modified: 2021/08/09
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+author: vitaliy0x1
+date: 2020/01/21
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: aws
service: cloudtrail
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Valid change in a Trail
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/cloud/aws/aws_config_disable_recording.yml b/rules/cloud/aws/aws_config_disable_recording.yml
index 6a0d9e6a3..c56282671 100644
--- a/rules/cloud/aws/aws_config_disable_recording.yml
+++ b/rules/cloud/aws/aws_config_disable_recording.yml
@@ -1,10 +1,13 @@
title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
-status: experimental
+status: test
description: Detects AWS Config Service disabling
author: vitaliy0x1
date: 2020/01/21
-modified: 2021/08/09
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: aws
service: cloudtrail
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Valid change in AWS Config Service
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/cloud/aws/aws_ec2_download_userdata.yml b/rules/cloud/aws/aws_ec2_download_userdata.yml
index 340bdea8c..fa370d39a 100644
--- a/rules/cloud/aws/aws_ec2_download_userdata.yml
+++ b/rules/cloud/aws/aws_ec2_download_userdata.yml
@@ -1,12 +1,15 @@
title: AWS EC2 Download Userdata
id: 26ff4080-194e-47e7-9889-ef7602efed0c
-status: experimental
+status: test
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
-author: faloker
-date: 2020/02/11
-modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py
+author: faloker
+date: 2020/02/11
+modified: 2022/10/09
+tags:
+ - attack.exfiltration
+ - attack.t1020
logsource:
product: aws
service: cloudtrail
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Assets management software like device42
level: medium
-tags:
- - attack.exfiltration
- - attack.t1020
diff --git a/rules/cloud/aws/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/aws_ec2_vm_export_failure.yml
index 57c2fa5c2..98df4181f 100644
--- a/rules/cloud/aws/aws_ec2_vm_export_failure.yml
+++ b/rules/cloud/aws/aws_ec2_vm_export_failure.yml
@@ -1,30 +1,29 @@
title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: experimental
-description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
+description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
author: Diogo Braz
date: 2020/04/16
-modified: 2021/08/20
-references:
- - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
+modified: 2022/10/05
+references:
+ - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
logsource:
- product: aws
- service: cloudtrail
+ product: aws
+ service: cloudtrail
detection:
- selection:
- eventName: 'CreateInstanceExportTask'
- eventSource: 'ec2.amazonaws.com'
- filter1:
- errorMessage: '*'
- filter2:
- errorCode: '*'
- filter3:
- responseElements|contains: 'Failure'
- condition: selection and (filter1 or filter2 or filter3)
+ selection:
+ eventName: 'CreateInstanceExportTask'
+ eventSource: 'ec2.amazonaws.com'
+ filter1:
+ errorMessage|contains: '*'
+ filter2:
+ errorCode|contains: '*'
+ filter3:
+ responseElements|contains: 'Failure'
+ condition: selection and not 1 of filter*
level: low
tags:
-- attack.collection
-- attack.t1005
-- attack.exfiltration
-- attack.t1537
-
+ - attack.collection
+ - attack.t1005
+ - attack.exfiltration
+ - attack.t1537
diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml
index fac7b591d..913d978a0 100644
--- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml
+++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml
@@ -1,11 +1,14 @@
title: AWS EFS Fileshare Modified or Deleted
id: 25cb1ba1-8a19-4a23-a198-d252664c8cef
-status: experimental
+status: test
description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
-author: Austin Songer @austinsonger
-date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
product: aws
service: cloudtrail
@@ -17,5 +20,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.impact
diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml
index 59b3e7304..da66ea29a 100644
--- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml
+++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml
@@ -1,11 +1,15 @@
title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
-status: experimental
+status: test
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
-author: Austin Songer @austinsonger
-date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1485
logsource:
product: aws
service: cloudtrail
@@ -17,6 +21,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.impact
- - attack.t1485
diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
index 65d3a3bac..241835475 100644
--- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
+++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
@@ -1,26 +1,27 @@
title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
+status: test
description: Identifies when an EKS cluster is created or deleted.
-author: Austin Songer
-status: experimental
-date: 2021/08/16
references:
- https://any-api.com/amazonaws_com/eks/docs/API_Description
+author: Austin Songer
+date: 2021/08/16
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1485
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: eks.amazonaws.com
- eventName:
+ eventName:
- CreateCluster
- DeleteCluster
condition: selection
-level: low
-tags:
- - attack.impact
- - attack.t1485
falsepositives:
- - EKS Cluster being created or deleted may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - EKS Cluster being created or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
diff --git a/rules/cloud/aws/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml
index ed485043d..415f69cb1 100644
--- a/rules/cloud/aws/aws_elasticache_security_group_created.yml
+++ b/rules/cloud/aws/aws_elasticache_security_group_created.yml
@@ -1,12 +1,16 @@
title: AWS ElastiCache Security Group Created
-id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
-description: Detects when an ElastiCache security group has been created.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/19
+id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
+status: test
+description: Detects when an ElastiCache security group has been created.
references:
- https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1136
+ - attack.t1136.003
logsource:
product: aws
service: cloudtrail
@@ -15,12 +19,8 @@ detection:
eventSource: elasticache.amazonaws.com
eventName: 'CreateCacheSecurityGroup'
condition: selection
-level: low
-tags:
- - attack.persistence
- - attack.t1136
- - attack.t1136.003
falsepositives:
-- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
diff --git a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml
index fc7daf4a1..8c162d317 100644
--- a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml
+++ b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml
@@ -1,30 +1,30 @@
title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
+status: test
description: Identifies when an ElastiCache security group has been modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1531
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
- eventName:
+ eventName:
- 'DeleteCacheSecurityGroup'
- 'AuthorizeCacheSecurityGroupIngress'
- 'RevokeCacheSecurityGroupIngress'
- 'AuthorizeCacheSecurityGroupEgress'
- 'RevokeCacheSecurityGroupEgress'
condition: selection
-level: low
-tags:
- - attack.impact
- - attack.t1531
falsepositives:
-- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
diff --git a/rules/cloud/aws/aws_enum_listing.yml b/rules/cloud/aws/aws_enum_listing.yml
index f43bfeea6..f8ec875fd 100644
--- a/rules/cloud/aws/aws_enum_listing.yml
+++ b/rules/cloud/aws/aws_enum_listing.yml
@@ -1,10 +1,13 @@
title: Account Enumeration on AWS
-id: e9c14b23-47e2-4a8b-8a63-d36618e33d70
-status: experimental
-description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
+id: e9c14b23-47e2-4a8b-8a63-d36618e33d70
+status: test
+description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
author: toffeebr33k
date: 2020/11/21
-modified: 2021/08/09
+modified: 2022/10/09
+tags:
+ - attack.discovery
+ - attack.t1592
logsource:
product: aws
service: cloudtrail
@@ -13,11 +16,8 @@ detection:
eventName: list*
timeframe: 10m
condition: selection_eventname | count() > 50
-fields:
- - userIdentity.arn
falsepositives:
- AWS Config or other configuration scanning activities
level: low
-tags:
- - attack.discovery
- - attack.t1592
+fields:
+ - userIdentity.arn
diff --git a/rules/cloud/aws/aws_guardduty_disruption.yml b/rules/cloud/aws/aws_guardduty_disruption.yml
index 9a60c4998..b81f188c4 100644
--- a/rules/cloud/aws/aws_guardduty_disruption.yml
+++ b/rules/cloud/aws/aws_guardduty_disruption.yml
@@ -1,12 +1,15 @@
title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
-status: experimental
+status: test
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
-author: faloker
-date: 2020/02/11
-modified: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
+author: faloker
+date: 2020/02/11
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: aws
service: cloudtrail
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml
index aa9390dfa..8e1ea42ee 100644
--- a/rules/cloud/aws/aws_iam_backdoor_users_keys.yml
+++ b/rules/cloud/aws/aws_iam_backdoor_users_keys.yml
@@ -1,12 +1,15 @@
title: AWS IAM Backdoor Users Keys
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
-status: experimental
+status: test
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
-author: faloker
-date: 2020/02/12
-modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
+author: faloker
+date: 2020/02/12
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1098
logsource:
product: aws
service: cloudtrail
@@ -17,15 +20,12 @@ detection:
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: selection_source and not filter
+falsepositives:
+ - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
+ - AWS API keys legitimate exchange workflows
+level: medium
fields:
- userIdentity.arn
- responseElements.accessKey.userName
- errorCode
- errorMessage
-falsepositives:
- - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
- - AWS API keys legitimate exchange workflows
-level: medium
-tags:
- - attack.persistence
- - attack.t1098
diff --git a/rules/cloud/aws/aws_macic_evasion.yml b/rules/cloud/aws/aws_macic_evasion.yml
index 9e04bbc34..ebebfc3f5 100644
--- a/rules/cloud/aws/aws_macic_evasion.yml
+++ b/rules/cloud/aws/aws_macic_evasion.yml
@@ -1,11 +1,12 @@
title: AWS Macie Evasion
id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
-status: experimental
+status: test
description: Detects evade to Macie detection.
-author: Sittikorn S
-date: 2021/07/06
references:
- https://docs.aws.amazon.com/cli/latest/reference/macie/
+author: Sittikorn S
+date: 2021/07/06
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -28,9 +29,9 @@ detection:
- 'UpdateClassificationJob'
timeframe: 10m
condition: selection | count() by sourceIPAddress > 5
-fields:
- - sourceIPAddress
- - userIdentity.arn
falsepositives:
- System or Network administrator behaviors
level: medium
+fields:
+ - sourceIPAddress
+ - userIdentity.arn
diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml
index a1cd4f50c..84a16ba09 100644
--- a/rules/cloud/aws/aws_rds_change_master_password.yml
+++ b/rules/cloud/aws/aws_rds_change_master_password.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects the change of database master password. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
-modified: 2021/08/20
+modified: 2022/10/05
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
logsource:
@@ -13,7 +13,7 @@ logsource:
detection:
selection_source:
eventSource: rds.amazonaws.com
- responseElements.pendingModifiedValues.masterUserPassword: '*'
+ responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
eventName: ModifyDBInstance
condition: selection_source
falsepositives:
diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml
index 83a572b18..597a66a6f 100644
--- a/rules/cloud/aws/aws_rds_public_db_restore.yml
+++ b/rules/cloud/aws/aws_rds_public_db_restore.yml
@@ -1,12 +1,15 @@
title: Restore Public AWS RDS Instance
id: c3f265c7-ff03-4056-8ab2-d486227b4599
-status: experimental
+status: test
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
-author: faloker
-date: 2020/02/12
-modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
+author: faloker
+date: 2020/02/12
+modified: 2022/10/09
+tags:
+ - attack.exfiltration
+ - attack.t1020
logsource:
product: aws
service: cloudtrail
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.exfiltration
- - attack.t1020
diff --git a/rules/cloud/aws/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml
index 14bbc35e5..5470622d7 100644
--- a/rules/cloud/aws/aws_root_account_usage.yml
+++ b/rules/cloud/aws/aws_root_account_usage.yml
@@ -1,24 +1,24 @@
title: AWS Root Credentials
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
-status: experimental
+status: test
description: Detects AWS root account usage
+references:
+ - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
author: vitaliy0x1
date: 2020/01/21
-modified: 2021/08/09
-references:
- - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
-logsource:
- product: aws
- service: cloudtrail
-detection:
- selection_usertype:
- userIdentity.type: Root
- selection_eventtype:
- eventType: AwsServiceEvent
- condition: selection_usertype and not selection_eventtype
-falsepositives:
- - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
-level: medium
+modified: 2022/10/09
tags:
- - attack.privilege_escalation
- - attack.t1078.004
+ - attack.privilege_escalation
+ - attack.t1078.004
+logsource:
+ product: aws
+ service: cloudtrail
+detection:
+ selection_usertype:
+ userIdentity.type: Root
+ selection_eventtype:
+ eventType: AwsServiceEvent
+ condition: selection_usertype and not selection_eventtype
+falsepositives:
+ - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
+level: medium
diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml
index acdcdb383..bf738eff0 100644
--- a/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml
+++ b/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml
@@ -1,13 +1,18 @@
title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
+status: test
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
-author: Elastic, Austin Songer @austinsonger
-status: experimental
-date: 2021/07/22
references:
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
+author: Elastic, Austin Songer @austinsonger
+date: 2021/07/22
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.credential_access
+ - attack.t1098
logsource:
product: aws
service: cloudtrail
@@ -19,7 +24,3 @@ detection:
falsepositives:
- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
-tags:
- - attack.persistence
- - attack.credential_access
- - attack.t1098
diff --git a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml
index a1d7efe86..599badbcd 100644
--- a/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml
+++ b/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml
@@ -1,11 +1,16 @@
title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
+status: test
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
-author: Elastic, Austin Songer @austinsonger
-status: experimental
-date: 2021/07/22
references:
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
+author: Elastic, Austin Songer @austinsonger
+date: 2021/07/22
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.credential_access
+ - attack.t1098
logsource:
product: aws
service: cloudtrail
@@ -17,7 +22,3 @@ detection:
falsepositives:
- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
-tags:
- - attack.persistence
- - attack.credential_access
- - attack.t1098
diff --git a/rules/cloud/aws/aws_s3_data_management_tampering.yml b/rules/cloud/aws/aws_s3_data_management_tampering.yml
index 13e21a4bc..393dbbc73 100644
--- a/rules/cloud/aws/aws_s3_data_management_tampering.yml
+++ b/rules/cloud/aws/aws_s3_data_management_tampering.yml
@@ -1,10 +1,7 @@
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
+status: test
description: Detects when a user tampers with S3 data management in Amazon Web Services.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/pull/1145/files
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
@@ -13,6 +10,12 @@ references:
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+ - attack.exfiltration
+ - attack.t1537
logsource:
product: aws
service: cloudtrail
@@ -20,17 +23,14 @@ detection:
selection:
eventSource: s3.amazonaws.com
eventName:
- - PutBucketLogging
- - PutBucketWebsite
- - PutEncryptionConfiguration
- - PutLifecycleConfiguration
- - PutReplicationConfiguration
- - ReplicateObject
- - RestoreObject
+ - PutBucketLogging
+ - PutBucketWebsite
+ - PutEncryptionConfiguration
+ - PutLifecycleConfiguration
+ - PutReplicationConfiguration
+ - ReplicateObject
+ - RestoreObject
condition: selection
-level: low
-tags:
- - attack.exfiltration
- - attack.t1537
falsepositives:
-- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml
index 1f6b76ae1..bc0615dcf 100644
--- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml
+++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml
@@ -1,13 +1,19 @@
title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
+status: test
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/20
references:
- https://github.com/elastic/detection-rules/pull/1214
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+ - attack.lateral_movement
+ - attack.privilege_escalation
+ - attack.t1548
+ - attack.t1550
+ - attack.t1550.001
logsource:
product: aws
service: cloudtrail
@@ -16,14 +22,8 @@ detection:
userIdentity.type: AssumedRole
userIdentity.sessionContext.sessionIssuer.type: Role
condition: selection
-level: low
-tags:
- - attack.lateral_movement
- - attack.privilege_escalation
- - attack.t1548
- - attack.t1550
- - attack.t1550.001
falsepositives:
- AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Automated processes that uses Terraform may lead to false positives.
+level: low
diff --git a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml
index 340e41bc6..817c97a06 100644
--- a/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml
+++ b/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml
@@ -1,12 +1,19 @@
title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
+status: test
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
references:
- https://github.com/elastic/detection-rules/pull/1213
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+ - attack.lateral_movement
+ - attack.privilege_escalation
+ - attack.t1548
+ - attack.t1550
+ - attack.t1550.001
logsource:
product: aws
service: cloudtrail
@@ -16,12 +23,6 @@ detection:
eventName: GetSessionToken
userIdentity.type: IAMUser
condition: selection
-level: low
-tags:
- - attack.lateral_movement
- - attack.privilege_escalation
- - attack.t1548
- - attack.t1550
- - attack.t1550.001
falsepositives:
-- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
diff --git a/rules/cloud/aws/aws_susp_saml_activity.yml b/rules/cloud/aws/aws_susp_saml_activity.yml
index d6caa4835..e97a2be62 100644
--- a/rules/cloud/aws/aws_susp_saml_activity.yml
+++ b/rules/cloud/aws/aws_susp_saml_activity.yml
@@ -1,12 +1,21 @@
-title: AWS Suspicious SAML Activity
+title: AWS Suspicious SAML Activity
id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
+status: test
description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
-author: Austin Songer
-status: experimental
-date: 2021/09/22
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
+author: Austin Songer
+date: 2021/09/22
+modified: 2022/10/09
+tags:
+ - attack.initial_access
+ - attack.t1078
+ - attack.lateral_movement
+ - attack.t1548
+ - attack.privilege_escalation
+ - attack.t1550
+ - attack.t1550.001
logsource:
product: aws
service: cloudtrail
@@ -18,16 +27,8 @@ detection:
eventSource: iam.amazonaws.com
eventName: UpdateSAMLProvider
condition: selection1 or selection2
-level: medium
-tags:
- - attack.initial_access
- - attack.t1078
- - attack.lateral_movement
- - attack.t1548
- - attack.privilege_escalation
- - attack.t1550
- - attack.t1550.001
falsepositives:
- - Automated processes that uses Terraform may lead to false positives.
- - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Automated processes that uses Terraform may lead to false positives.
+ - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml
index 093dbd905..f3bd1465e 100644
--- a/rules/cloud/aws/aws_update_login_profile.yml
+++ b/rules/cloud/aws/aws_update_login_profile.yml
@@ -1,13 +1,17 @@
title: AWS User Login Profile Was Modified
-id: 055fb148-60f8-462d-ad16-26926ce050f1
-status: experimental
-description: |
- An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
- With this alert, it is used to detect anyone is changing password on behalf of other users.
-author: toffeebr33k
-date: 2021/08/09
+id: 055fb148-60f8-462d-ad16-26926ce050f1
+status: test
+description: |
+ An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
+ With this alert, it is used to detect anyone is changing password on behalf of other users.
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
+author: toffeebr33k
+date: 2021/08/09
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1098
logsource:
product: aws
service: cloudtrail
@@ -18,14 +22,11 @@ detection:
filter:
userIdentity.arn|contains: requestParameters.userName
condition: selection_source and not filter
+falsepositives:
+ - Legit User Account Administration
+level: high
fields:
- userIdentity.arn
- requestParameters.userName
- errorCode
- errorMessage
-falsepositives:
- - Legit User Account Administration
-level: high
-tags:
- - attack.persistence
- - attack.t1098
diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml
index 8088ce3d7..9444f3b94 100644
--- a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml
+++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml
@@ -1,27 +1,28 @@
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
+status: test
description: |
- This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
- A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
- This can be done programmatically via HTTP requests to Azure.
-status: experimental
-date: 2021/08/26
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
-tags:
- - attack.defense_evasion
- - attack.t1578
+ This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
+ A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
+ This can be done programmatically via HTTP requests to Azure.
references:
- - https://o365blog.com/post/hybridhealthagent/
+ - https://o365blog.com/post/hybridhealthagent/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1578
logsource:
- product: azure
- service: azureactivity
+ product: azure
+ service: azureactivity
detection:
- selection:
- CategoryValue: 'Administrative'
- ResourceProviderValue: 'Microsoft.ADHybridHealthService'
- ResourceId|contains: 'AdFederationService'
- OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
- condition: selection
+ selection:
+ CategoryValue: 'Administrative'
+ ResourceProviderValue: 'Microsoft.ADHybridHealthService'
+ ResourceId|contains: 'AdFederationService'
+ OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
+ condition: selection
falsepositives:
- - Legitimate AD FS servers added to an AAD Health AD FS service instance
-level: medium
\ No newline at end of file
+ - Legitimate AD FS servers added to an AAD Health AD FS service instance
+level: medium
diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml
index 6fc97a25f..e0437c976 100644
--- a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml
+++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml
@@ -1,27 +1,28 @@
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
+status: test
description: |
- This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
- A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
- The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
-status: experimental
-date: 2021/08/26
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
-tags:
- - attack.defense_evasion
- - attack.t1578.003
+ This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
+ A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
+ The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
references:
- - https://o365blog.com/post/hybridhealthagent/
+ - https://o365blog.com/post/hybridhealthagent/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1578.003
logsource:
- product: azure
- service: azureactivity
+ product: azure
+ service: azureactivity
detection:
- selection:
- CategoryValue: 'Administrative'
- ResourceProviderValue: 'Microsoft.ADHybridHealthService'
- ResourceId|contains: 'AdFederationService'
- OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
- condition: selection
+ selection:
+ CategoryValue: 'Administrative'
+ ResourceProviderValue: 'Microsoft.ADHybridHealthService'
+ ResourceId|contains: 'AdFederationService'
+ OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
+ condition: selection
falsepositives:
- - Legitimate AAD Health AD FS service instances being deleted in a tenant
-level: medium
\ No newline at end of file
+ - Legitimate AAD Health AD FS service instances being deleted in a tenant
+level: medium
diff --git a/rules/cloud/azure/azure_ad_auth_failure_increase.yml b/rules/cloud/azure/azure_ad_auth_failure_increase.yml
index 68df012b2..3126798fc 100644
--- a/rules/cloud/azure/azure_ad_auth_failure_increase.yml
+++ b/rules/cloud/azure/azure_ad_auth_failure_increase.yml
@@ -17,6 +17,6 @@ detection:
falsepositives:
- Unlikely
tags:
- - attack.valid_accounts
+ - attack.defense_evasion
- attack.t1078
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/cloud/azure/azure_ad_auth_sucess_increase.yml b/rules/cloud/azure/azure_ad_auth_sucess_increase.yml
index cc129e26a..5177e3fc6 100644
--- a/rules/cloud/azure/azure_ad_auth_sucess_increase.yml
+++ b/rules/cloud/azure/azure_ad_auth_sucess_increase.yml
@@ -18,6 +18,6 @@ detection:
falsepositives:
- Increase of users in the environment
tags:
- - attack.valid_accounts
+ - attack.defense_evasion
- attack.t1078
level: low
diff --git a/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
index e203e67b7..1173d4d7a 100644
--- a/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
+++ b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
@@ -18,5 +18,5 @@ falsepositives:
level: medium
status: experimental
tags:
- - attack.valid_accounts
+ - attack.defense_evasion
- attack.t1078
diff --git a/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml
index 23c3582cb..2c6686f80 100644
--- a/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml
+++ b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml
@@ -4,21 +4,21 @@ description: Monitor and alert for device registration or join events where MFA
author: Michael Epping, '@mepples21'
date: 2022/06/28
references:
- - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
+ - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
logsource:
- product: azure
- service: signinlogs
+ product: azure
+ service: signinlogs
detection:
- selection:
- ResourceDisplayName: 'Device Registration Service'
- conditionalAccessStatus: 'success'
- filter_mfa:
- AuthenticationRequirement: 'multiFactorAuthentication'
- condition: selection and not filter_mfa
+ selection:
+ ResourceDisplayName: 'Device Registration Service'
+ conditionalAccessStatus: 'success'
+ filter_mfa:
+ AuthenticationRequirement: 'multiFactorAuthentication'
+ condition: selection and not filter_mfa
falsepositives:
- - Unknown
+ - Unknown
level: medium
status: experimental
tags:
- - attack.valid_accounts
- - attack.t1078
+ - attack.defense_evasion
+ - attack.t1078
diff --git a/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml b/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml
index e4c8d8555..97390cc88 100644
--- a/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml
+++ b/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml
@@ -4,19 +4,20 @@ description: Monitor and alert for changes to the device registration policy.
author: Michael Epping, '@mepples21'
date: 2022/06/28
references:
- - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
+ - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
logsource:
- product: azure
- service: auditlogs
+ product: azure
+ service: auditlogs
detection:
- selection:
- Category: 'Policy'
- ActivityDisplayName: 'Set device registration policies'
- condition: selection
+ selection:
+ Category: 'Policy'
+ ActivityDisplayName: 'Set device registration policies'
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: high
status: experimental
tags:
- - attack.domain_policy_modification
- - attack.t1484
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1484
diff --git a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml
index 45003d427..3665796d0 100644
--- a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml
+++ b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml
@@ -4,18 +4,18 @@ description: Monitor and alert for sign-ins where the device was non-compliant.
author: Michael Epping, '@mepples21'
date: 2022/06/28
references:
- - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
+ - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
logsource:
- product: azure
- service: signinlogs
+ product: azure
+ service: signinlogs
detection:
- selection:
- DeviceDetail.isCompliant: 'false'
- condition: selection
+ selection:
+ DeviceDetail.isCompliant: 'false'
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: high
status: experimental
tags:
- - attack.valid_accounts
- - attack.t1078
+ - attack.defense_evasion
+ - attack.t1078
diff --git a/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml b/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml
index 59e6ad2f1..6a2e76ffc 100644
--- a/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml
+++ b/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml
@@ -3,22 +3,23 @@ id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
author: Michael Epping, '@mepples21'
date: 2022/06/28
+modified: 2022/10/05
references:
- - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
+ - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
logsource:
- product: azure
- service: signinlogs
+ product: azure
+ service: signinlogs
detection:
- selection:
- AuthenticationRequirement: singleFactorAuthentication
- ResultType: '0'
- NetworkLocationDetails: '[]'
- DeviceDetail.deviceId: ''
- condition: selection
+ selection:
+ AuthenticationRequirement: singleFactorAuthentication
+ ResultType: 0
+ NetworkLocationDetails: '[]'
+ DeviceDetail.deviceId: ''
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: low
status: experimental
tags:
- - attack.valid_accounts
- - attack.t1078
+ - attack.defense_evasion
+ - attack.t1078
diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml
index cf7c5d0f6..1e6eed127 100644
--- a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml
+++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml
@@ -1,26 +1,27 @@
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
+status: test
description: User Added to an Administrator's Azure AD Role
-author: Raphaël CALVET, @MetallicHack
-date: 2021/10/04
references:
- https://attack.mitre.org/techniques/T1098/003/
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
+author: Raphaël CALVET, @MetallicHack
+date: 2021/10/04
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1098.003
logsource:
product: azure
service: activitylogs
-detection:
- selection:
- Operation: 'Add member to role.'
- Workload: 'AzureActiveDirectory'
- ModifiedProperties{}.NewValue|endswith:
- - 'Admins'
- - 'Administrator'
- condition: selection
+detection:
+ selection:
+ Operation: 'Add member to role.'
+ Workload: 'AzureActiveDirectory'
+ ModifiedProperties{}.NewValue|endswith:
+ - 'Admins'
+ - 'Administrator'
+ condition: selection
falsepositives:
- - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
+ - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
-status: experimental
-tags:
- - attack.persistence
- - attack.t1098.003
diff --git a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml
index 0c3140549..2ff6b2cd6 100644
--- a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml
+++ b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml
@@ -4,24 +4,24 @@ description: Monitor and alert for users added to device admin roles.
author: Michael Epping, '@mepples21'
date: 2022/06/28
references:
- - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
+ - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
logsource:
- product: azure
- service: auditlogs
+ product: azure
+ service: auditlogs
detection:
- selection:
- Category: RoleManagement
- OperationName|contains|all:
- - 'Add'
- - 'member to role'
- TargetResources|contains:
- - '7698a772-787b-4ac8-901f-60d6b08affd2'
- - '62e90394-69f5-4237-9190-012177145e10'
- condition: selection
+ selection:
+ Category: RoleManagement
+ OperationName|contains|all:
+ - 'Add'
+ - 'member to role'
+ TargetResources|contains:
+ - '7698a772-787b-4ac8-901f-60d6b08affd2'
+ - '62e90394-69f5-4237-9190-012177145e10'
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: high
status: experimental
tags:
- - attack.valid_accounts
- - attack.t1078
+ - attack.defense_evasion
+ - attack.t1078
diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml
index bca556a2e..4bc842cff 100644
--- a/rules/cloud/azure/azure_app_credential_modification.yml
+++ b/rules/cloud/azure/azure_app_credential_modification.yml
@@ -1,22 +1,23 @@
title: Azure Application Credential Modified
id: cdeef967-f9a1-4375-90ee-6978c5f23974
+status: test
description: Identifies when a application credential is modified.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/02
references:
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
+author: Austin Songer @austinsonger
+date: 2021/09/02
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: azure
- service: activitylogs
+ product: azure
+ service: activitylogs
detection:
selection:
properties.message: 'Update application - Certificates and secrets management'
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Application credential added may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Application credential added may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml
index 6d3ee5b0d..ed8811760 100644
--- a/rules/cloud/azure/azure_application_deleted.yml
+++ b/rules/cloud/azure/azure_application_deleted.yml
@@ -1,24 +1,25 @@
title: Azure Application Deleted
id: 410d2a41-1e6d-452f-85e5-abdd8257a823
+status: test
description: Identifies when a application is deleted in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
logsource:
- product: azure
- service: activitylogs
+ product: azure
+ service: activitylogs
detection:
selection:
properties.message:
- Delete application
- Hard Delete application
condition: selection
-level: medium
-tags:
- - attack.defense_evasion
falsepositives:
- - Application being deleted may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Application being deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
index 0c33bda86..dd2365036 100644
--- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
+++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
@@ -1,22 +1,23 @@
title: Azure Device No Longer Managed or Compliant
id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
+status: test
description: Identifies when a device in azure is no longer managed or compliant
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: azure
- service: activitylogs
+ product: azure
+ service: activitylogs
detection:
selection:
- properties.message:
+ properties.message:
- Device no longer compliant
- Device no longer managed
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Administrator may have forgotten to review the device.
+ - Administrator may have forgotten to review the device.
+level: medium
diff --git a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
index cc5aa33d2..65c7974a3 100644
--- a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
+++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
@@ -1,26 +1,27 @@
title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
+status: test
description: Identifies when a device or device configuration in azure is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: azure
- service: activitylogs
+ product: azure
+ service: activitylogs
detection:
selection:
- properties.message:
+ properties.message:
- Delete device
- Delete device configuration
- Update device
- Update device configuration
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Device or device configuration being modified or deleted may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Device or device configuration being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
index 57b3f464f..6dc94f25e 100644
--- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
+++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
@@ -1,24 +1,25 @@
title: Azure Owner Removed From Application or Service Principal
id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
+status: test
description: Identifies when a owner is was removed from a application or service principal in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
logsource:
- product: azure
- service: activitylogs
+ product: azure
+ service: activitylogs
detection:
selection:
- properties.message:
+ properties.message:
- Remove owner from service principal
- Remove owner from application
condition: selection
-level: medium
-tags:
- - attack.defense_evasion
falsepositives:
- - Owner being removed may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Owner being removed may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml
index 28d351a04..c0133ca46 100644
--- a/rules/cloud/azure/azure_service_principal_created.yml
+++ b/rules/cloud/azure/azure_service_principal_created.yml
@@ -1,22 +1,23 @@
title: Azure Service Principal Created
id: 0ddcff6d-d262-40b0-804b-80eb592de8e3
+status: test
description: Identifies when a service principal is created in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/02
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/02
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
logsource:
- product: azure
- service: activitylogs
+ product: azure
+ service: activitylogs
detection:
selection:
properties.message: 'Add service principal'
condition: selection
-level: medium
-tags:
- - attack.defense_evasion
falsepositives:
- - Service principal being created may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Service principal being created may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml
index fbda2c690..9fb6f81f0 100644
--- a/rules/cloud/azure/azure_service_principal_removed.yml
+++ b/rules/cloud/azure/azure_service_principal_removed.yml
@@ -1,22 +1,23 @@
title: Azure Service Principal Removed
id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
+status: test
description: Identifies when a service principal was removed in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
logsource:
- product: azure
- service: activitylogs
+ product: azure
+ service: activitylogs
detection:
selection:
properties.message: Remove service principal
condition: selection
-level: medium
-tags:
- - attack.defense_evasion
falsepositives:
- - Service principal being removed may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Service principal being removed may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gcp/gcp_bucket_enumeration.yml b/rules/cloud/gcp/gcp_bucket_enumeration.yml
index e7f8fc61f..35c71fe4c 100644
--- a/rules/cloud/gcp/gcp_bucket_enumeration.yml
+++ b/rules/cloud/gcp/gcp_bucket_enumeration.yml
@@ -1,23 +1,24 @@
title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
+status: test
description: Detects when storage bucket is enumerated in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
+tags:
+ - attack.discovery
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- storage.buckets.list
- storage.buckets.listChannels
condition: selection
-level: low
-tags:
- - attack.discovery
falsepositives:
- - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
diff --git a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml
index ac5017c9f..ac0ecb40d 100644
--- a/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml
+++ b/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml
@@ -1,25 +1,26 @@
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
+status: test
description: Detects when storage bucket is modified or deleted in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- storage.buckets.delete
- storage.buckets.insert
- storage.buckets.update
- storage.buckets.patch
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml b/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml
index 7457bc91f..99e162b55 100644
--- a/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml
+++ b/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml
@@ -1,21 +1,22 @@
title: Google Cloud Re-identifies Sensitive Information
id: 234f9f48-904b-4736-a34c-55d23919e4b7
+status: test
description: Identifies when sensitive information is re-identified in google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/15
references:
- https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1565
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
gcp.audit.method_name: projects.content.reidentify
condition: selection
-level: medium
-tags:
- - attack.impact
- - attack.t1565
falsepositives:
- - Unknown
+ - Unknown
+level: medium
diff --git a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml
index 9455782d4..324e49826 100644
--- a/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml
+++ b/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml
@@ -1,23 +1,24 @@
title: Google Cloud DNS Zone Modified or Deleted
id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
-description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/15
+status: test
+description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/dns/docs/reference/v1/managedZones
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- Dns.ManagedZones.Delete
- Dns.ManagedZones.Update
- Dns.ManagedZones.Patch
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
+ - Unknown
+level: medium
diff --git a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
index 4cb33dd81..c9efa342b 100644
--- a/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
+++ b/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
@@ -1,27 +1,28 @@
title: Google Cloud Firewall Modified or Deleted
id: fe513c69-734c-4d4a-8548-ac5f609be82b
+status: test
description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/13
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
+author: Austin Songer @austinsonger
+date: 2021/08/13
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1562
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- v*.Compute.Firewalls.Delete
- v*.Compute.Firewalls.Patch
- v*.Compute.Firewalls.Update
- v*.Compute.Firewalls.Insert
condition: selection
-level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562
falsepositives:
- - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
- - Exceptions can be added to this rule to filter expected behavior.
+ - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
+ - Exceptions can be added to this rule to filter expected behavior.
+level: medium
diff --git a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml
index cd29c4055..ebd5bc623 100644
--- a/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml
+++ b/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml
@@ -1,18 +1,22 @@
title: Google Full Network Traffic Packet Capture
id: 980a7598-1e7f-4962-9372-2d754c930d0e
+status: test
description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/13
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
+author: Austin Songer @austinsonger
+date: 2021/08/13
+modified: 2022/10/09
+tags:
+ - attack.collection
+ - attack.t1074
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- v*.Compute.PacketMirrorings.Get
- v*.Compute.PacketMirrorings.Delete
- v*.Compute.PacketMirrorings.Insert
@@ -20,10 +24,7 @@ detection:
- v*.Compute.PacketMirrorings.List
- v*.Compute.PacketMirrorings.aggregatedList
condition: selection
-level: medium
-tags:
- - attack.collection
- - attack.t1074
falsepositives:
- - Full Network Packet Capture may be done by a system or network administrator.
- - If known behavior is causing false positives, it can be exempted from the rule.
+ - Full Network Packet Capture may be done by a system or network administrator.
+ - If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml
index 472ff97b5..384ce9060 100644
--- a/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml
+++ b/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml
@@ -1,21 +1,24 @@
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
+status: test
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/09
references:
- https://github.com/elastic/detection-rules/pull/1267
- https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
+author: Austin Songer @austinsonger
+date: 2021/08/09
+modified: 2022/10/09
+tags:
+ - attack.credential_access
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- io.k8s.authorization.rbac.v*.clusterrolebindings.create
- io.k8s.authorization.rbac.v*.rolebindings.create
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch
@@ -25,9 +28,7 @@ detection:
- io.k8s.authorization.rbac.v*.clusterrolebindings.delete
- io.k8s.authorization.rbac.v*.rolebindings.delete
condition: selection
-level: medium
-tags:
- - attack.credential_access
falsepositives:
- - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml
index 35f1ebda3..2ca21ae8f 100644
--- a/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml
+++ b/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml
@@ -1,25 +1,26 @@
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
+status: test
description: Identifies when the Secrets are Modified or Deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/09
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
+author: Austin Songer @austinsonger
+date: 2021/08/09
+modified: 2022/10/09
+tags:
+ - attack.credential_access
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- - io.k8s.core.v*.secrets.delete
+ - io.k8s.core.v*.secrets.delete
condition: selection
-level: medium
-tags:
- - attack.credential_access
falsepositives:
- - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml
index c265f7c9d..687c5f032 100644
--- a/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml
+++ b/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml
@@ -1,24 +1,25 @@
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
-description: Identifies when a service account is disabled or deleted in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
+status: test
+description: Identifies when a service account is disabled or deleted in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
-logsource:
- product: gcp
- service: gcp.audit
-detection:
- selection:
- gcp.audit.method_name|endswith:
- - .serviceAccounts.disable
- - .serviceAccounts.delete
- condition: selection
-level: medium
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
tags:
- attack.impact
- attack.t1531
+logsource:
+ product: gcp
+ service: gcp.audit
+detection:
+ selection:
+ gcp.audit.method_name|endswith:
+ - .serviceAccounts.disable
+ - .serviceAccounts.delete
+ condition: selection
falsepositives:
- - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml
index b990d00a4..0962aef40 100644
--- a/rules/cloud/gcp/gcp_service_account_modified.yml
+++ b/rules/cloud/gcp/gcp_service_account_modified.yml
@@ -1,26 +1,27 @@
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
-description: Identifies when a service account is modified in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
+status: test
+description: Identifies when a service account is modified in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name|endswith:
+ gcp.audit.method_name|endswith:
- .serviceAccounts.patch
- .serviceAccounts.create
- .serviceAccounts.update
- .serviceAccounts.enable
- .serviceAccounts.undelete
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
index 8171bb42a..d22cd01f1 100644
--- a/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
+++ b/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
@@ -1,24 +1,25 @@
title: Google Cloud VPN Tunnel Modified or Deleted
id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
-description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/16
+status: test
+description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
references:
- https://any-api.com/googleapis_com/compute/docs/vpnTunnels
+author: Austin Songer @austinsonger
+date: 2021/08/16
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: gcp
- service: gcp.audit
+ product: gcp
+ service: gcp.audit
detection:
selection:
- gcp.audit.method_name:
+ gcp.audit.method_name:
- compute.vpnTunnels.insert
- compute.vpnTunnels.delete
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - VPN Tunnel being modified or deleted may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - VPN Tunnel being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium
diff --git a/rules/cloud/gworkspace/gworkspace_application_removed.yml b/rules/cloud/gworkspace/gworkspace_application_removed.yml
index 176b7f9f3..9f0a63994 100644
--- a/rules/cloud/gworkspace/gworkspace_application_removed.yml
+++ b/rules/cloud/gworkspace/gworkspace_application_removed.yml
@@ -1,25 +1,26 @@
title: Google Workspace Application Removed
id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
+status: test
description: Detects when an an application is removed from Google Workspace.
-author: Austin Songer
-status: experimental
-date: 2021/08/26
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
+author: Austin Songer
+date: 2021/08/26
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: google_workspace
- service: google_workspace.admin
+ product: google_workspace
+ service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
- eventName:
+ eventName:
- REMOVE_APPLICATION
- REMOVE_APPLICATION_FROM_WHITELIST
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Application being removed may be performed by a System Administrator.
+ - Application being removed may be performed by a System Administrator.
+level: medium
diff --git a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml
index e177ee7d1..ea14ab20b 100644
--- a/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml
+++ b/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml
@@ -1,24 +1,25 @@
title: Google Workspace Granted Domain API Access
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
+status: test
description: Detects when an API access service account is granted domain authority.
-author: Austin Songer
-status: experimental
-date: 2021/08/23
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
+author: Austin Songer
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1098
logsource:
- product: google_workspace
- service: google_workspace.admin
+ product: google_workspace
+ service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: AUTHORIZE_API_CLIENT_ACCESS
condition: selection
-level: medium
-tags:
- - attack.persistence
- - attack.t1098
falsepositives:
- - Unknown
-
+ - Unknown
+
+level: medium
diff --git a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml
index 18c23bc28..73f7a484a 100644
--- a/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml
+++ b/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml
@@ -1,26 +1,27 @@
title: Google Workspace Role Modified or Deleted
id: 6aef64e3-60c6-4782-8db3-8448759c714e
+status: test
description: Detects when an a role is modified or deleted in Google Workspace.
-author: Austin Songer
-status: experimental
-date: 2021/08/24
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
+author: Austin Songer
+date: 2021/08/24
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: google_workspace
- service: google_workspace.admin
+ product: google_workspace
+ service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
- eventName:
+ eventName:
- DELETE_ROLE
- RENAME_ROLE
- UPDATE_ROLE
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
-
+ - Unknown
+
+level: medium
diff --git a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml
index bbe666a6e..3ea2480b6 100644
--- a/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml
+++ b/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml
@@ -1,23 +1,24 @@
title: Google Workspace Role Privilege Deleted
id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
+status: test
description: Detects when an a role privilege is deleted in Google Workspace.
-author: Austin Songer
-status: experimental
-date: 2021/08/24
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
+author: Austin Songer
+date: 2021/08/24
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: google_workspace
- service: google_workspace.admin
+ product: google_workspace
+ service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: REMOVE_PRIVILEGE
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
-
+ - Unknown
+
+level: medium
diff --git a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml
index 802f60526..08e4b4b68 100644
--- a/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml
+++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml
@@ -1,25 +1,26 @@
title: Google Workspace User Granted Admin Privileges
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
-description: Detects when an Google Workspace user is granted admin privileges.
-author: Austin Songer
-status: experimental
-date: 2021/08/23
+status: test
+description: Detects when an Google Workspace user is granted admin privileges.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
-logsource:
- product: google_workspace
- service: google_workspace.admin
-detection:
- selection:
- eventService: admin.googleapis.com
- eventName:
- - GRANT_DELEGATED_ADMIN_PRIVILEGES
- - GRANT_ADMIN_PRIVILEGE
- condition: selection
-level: medium
+author: Austin Songer
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1098
+logsource:
+ product: google_workspace
+ service: google_workspace.admin
+detection:
+ selection:
+ eventService: admin.googleapis.com
+ eventName:
+ - GRANT_DELEGATED_ADMIN_PRIVILEGES
+ - GRANT_ADMIN_PRIVILEGE
+ condition: selection
falsepositives:
- - Google Workspace admin role privileges, may be modified by system administrators.
\ No newline at end of file
+ - Google Workspace admin role privileges, may be modified by system administrators.
+level: medium
diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml
index ed18a8521..3ab255f1f 100644
--- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml
+++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml
@@ -1,12 +1,15 @@
title: Activity Performed by Terminated User
id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
-author: Austin Songer @austinsonger
-date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
service: threat_management
product: m365
@@ -19,5 +22,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.impact
diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml
index 2fb822e9b..029f859f8 100644
--- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml
+++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml
@@ -1,12 +1,16 @@
title: Activity from Anonymous IP Addresses
id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
-author: Austin Songer @austinsonger
-date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.command_and_control
+ - attack.t1573
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- User using a VPN or Proxy
level: medium
-tags:
- - attack.command_and_control
- - attack.t1573
diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml
index 24cb1c14d..01002c7b6 100644
--- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml
+++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml
@@ -1,12 +1,16 @@
title: Activity from Infrequent Country
id: 0f2468a2-5055-4212-a368-7321198ee706
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
-author: Austin Songer @austinsonger
-date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.command_and_control
+ - attack.t1573
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.command_and_control
- - attack.t1573
diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml
index 2f407d50a..9453776be 100644
--- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml
+++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml
@@ -1,12 +1,16 @@
title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
-author: Austin Songer @austinsonger
-date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.exfiltration
+ - attack.t1537
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.exfiltration
- - attack.t1537
diff --git a/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml
index 3694bf34c..94f58159c 100644
--- a/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml
+++ b/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml
@@ -1,12 +1,16 @@
title: Activity from Suspicious IP Addresses
id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
-status: experimental
-description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
-author: Austin Songer @austinsonger
-date: 2021/08/23
+status: test
+description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.command_and_control
+ - attack.t1573
logsource:
service: threat_detection
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.command_and_control
- - attack.t1573
diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml
index 98bba6910..2ba14c9d4 100644
--- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml
+++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml
@@ -1,12 +1,16 @@
title: Logon from a Risky IP Address
id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
-author: Austin Songer @austinsonger
-date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.initial_access
+ - attack.t1078
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.initial_access
- - attack.t1078
diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml
index 489613f57..6ca1f523b 100644
--- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml
+++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml
@@ -1,12 +1,16 @@
title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
-author: austinsonger
-date: 2021/08/19
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: austinsonger
+date: 2021/08/19
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1486
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.impact
- - attack.t1486
diff --git a/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml
index b7916e14a..f7f74a5dd 100644
--- a/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml
+++ b/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml
@@ -1,12 +1,16 @@
title: Suspicious Inbox Forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
-author: Austin Songer @austinsonger
-date: 2021/08/22
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/22
+modified: 2022/10/09
+tags:
+ - attack.exfiltration
+ - attack.t1020
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.exfiltration
- - attack.t1020
diff --git a/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml
index 1c2bbf799..d6dc40733 100644
--- a/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml
+++ b/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml
@@ -1,12 +1,15 @@
title: Suspicious OAuth App File Download Activities
id: ee111937-1fe7-40f0-962a-0eb44d57d174
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
-author: Austin Songer @austinsonger
-date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.exfiltration
logsource:
service: threat_management
product: m365
@@ -19,5 +22,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.exfiltration
diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml
index 6f68cbd70..ff0b26d54 100644
--- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml
+++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml
@@ -1,12 +1,16 @@
title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
-status: experimental
+status: test
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
-author: austinsonger
-date: 2021/08/19
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: austinsonger
+date: 2021/08/19
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1485
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.impact
- - attack.t1485
diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml
index a334ac653..218f9d3e2 100644
--- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml
+++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml
@@ -1,12 +1,16 @@
title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
-status: experimental
+status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
-author: austinsonger
-date: 2021/08/19
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: austinsonger
+date: 2021/08/19
+modified: 2022/10/09
+tags:
+ - attack.initial_access
+ - attack.t1199
logsource:
service: threat_management
product: m365
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.initial_access
- - attack.t1199
diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
index 32b496a79..e0b6a5ba2 100644
--- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
+++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
@@ -1,25 +1,25 @@
title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
+status: test
description: Detects when an the Administrator role is assigned to an user or group.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
- eventtype:
+ eventtype:
- group.privilege.grant
- user.account.privilege.grant
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Administrator roles could be assigned to users or group by other admin users.
-
+ - Administrator roles could be assigned to users or group by other admin users.
+
+level: medium
diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml
index a39c3ae70..dd75e42ae 100644
--- a/rules/cloud/okta/okta_api_token_created.yml
+++ b/rules/cloud/okta/okta_api_token_created.yml
@@ -1,23 +1,23 @@
title: Okta API Token Created
id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
+status: test
description: Detects when a API token is created
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.persistence
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
eventtype: system.api_token.create
condition: selection
-level: medium
-tags:
- - attack.persistence
falsepositives:
- - Unknown
+ - Unknown
+level: medium
diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml
index 644f1aea5..e57121bfa 100644
--- a/rules/cloud/okta/okta_api_token_revoked.yml
+++ b/rules/cloud/okta/okta_api_token_revoked.yml
@@ -1,23 +1,23 @@
title: Okta API Token Revoked
id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
+status: test
description: Detects when a API Token is revoked.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
eventtype: system.api_token.revoke
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
-
+ - Unknown
+
+level: medium
diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml
index 35cbd1b95..800cb8698 100644
--- a/rules/cloud/okta/okta_application_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml
@@ -1,25 +1,25 @@
title: Okta Application Modified or Deleted
id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
+status: test
description: Detects when an application is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
- eventtype:
+ eventtype:
- application.lifecycle.update
- application.lifecycle.delete
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
-
+ - Unknown
+
+level: medium
diff --git a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml
index 0520ddd6b..8d77d6eb5 100644
--- a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml
@@ -1,24 +1,24 @@
title: Okta Application Sign-On Policy Modified or Deleted
id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
+status: test
description: Detects when an application Sign-on Policy is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
- eventtype:
+ eventtype:
- application.policy.sign_on.update
- application.policy.sign_on.rule.delete
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
\ No newline at end of file
+ - Unknown
+level: medium
diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml
index 69185811f..2e6f30970 100644
--- a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml
+++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml
@@ -1,24 +1,24 @@
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
+status: test
description: Detects when an attempt at deactivating or resetting MFA.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/21
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/21
+modified: 2022/10/09
+tags:
+ - attack.persistence
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
- eventtype:
+ eventtype:
- user.mfa.factor.deactivate
- user.mfa.factor.reset_all
condition: selection
-level: medium
-tags:
- - attack.persistence
falsepositives:
- - If a MFA reset or deactivated was performed by a system administrator.
+ - If a MFA reset or deactivated was performed by a system administrator.
+level: medium
diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
index b4f6adf83..5e348ee53 100644
--- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
+++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
@@ -1,25 +1,25 @@
title: Okta Network Zone Deactivated or Deleted
id: 9f308120-69ed-4506-abde-ac6da81f4310
+status: test
description: Detects when an Network Zone is Deactivated or Deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
- eventtype:
+ eventtype:
- zone.deactivate
- zone.delete
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
-
+ - Unknown
+
+level: medium
diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml
index 247901b96..547fcadcd 100644
--- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml
@@ -1,26 +1,26 @@
title: Okta Policy Modified or Deleted
id: 1667a172-ed4c-463c-9969-efd92195319a
+status: test
description: Detects when an Okta policy is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
- eventtype:
+ eventtype:
- policy.lifecycle.update
- policy.lifecycle.delete
condition: selection
-level: low
-tags:
- - attack.impact
falsepositives:
- - Okta Policies being modified or deleted may be performed by a system administrator.
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Okta Policies being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+ - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
index 9a1ab4bf7..958e131d3 100644
--- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
@@ -1,25 +1,25 @@
title: Okta Policy Rule Modified or Deleted
id: 0c97c1d3-4057-45c9-b148-1de94b631931
+status: test
description: Detects when an Policy Rule is Modified or Deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
- eventtype:
+ eventtype:
- policy.rule.update
- policy.rule.delete
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
-
+ - Unknown
+
+level: medium
diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml
index 02bb71925..0cffb48f9 100644
--- a/rules/cloud/okta/okta_security_threat_detected.yml
+++ b/rules/cloud/okta/okta_security_threat_detected.yml
@@ -1,21 +1,21 @@
title: Okta Security Threat Detected
id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
+status: test
description: Detects when an security threat is detected in Okta.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
eventtype: security.threat.detected
condition: selection
-level: medium
falsepositives:
- - Unknown
+ - Unknown
+level: medium
diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml
index c9ce5ab4d..0206a7b96 100644
--- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml
+++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml
@@ -1,22 +1,22 @@
title: Okta Unauthorized Access to App
id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
+status: test
description: Detects when unauthorized access to app occurs.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
displaymessage: User attempted unauthorized access to app
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - User might of believe that they had access.
+ - User might of believe that they had access.
+level: medium
diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/cloud/okta/okta_user_account_locked_out.yml
index 21b4c7ed2..250c035d8 100644
--- a/rules/cloud/okta/okta_user_account_locked_out.yml
+++ b/rules/cloud/okta/okta_user_account_locked_out.yml
@@ -1,22 +1,22 @@
title: Okta User Account Locked Out
id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
+status: test
description: Detects when an user account is locked out.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
- product: okta
- service: okta
+ product: okta
+ service: okta
detection:
selection:
displaymessage: Max sign in attempts exceeded
condition: selection
-level: medium
-tags:
- - attack.impact
falsepositives:
- - Unknown
+ - Unknown
+level: medium
diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml
index ae9a76a72..e15021de6 100644
--- a/rules/compliance/host_without_firewall.yml
+++ b/rules/compliance/host_without_firewall.yml
@@ -4,7 +4,7 @@ status: stable
description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/19
-modified: 2021/05/30
+modified: 2022/10/05
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
@@ -13,8 +13,8 @@ logsource:
product: qualys
detection:
selection:
- event.category: Security Policy
- host.scan.vuln_name: Firewall Product Not Detected*
+ event.category: 'Security Policy'
+ host.scan.vuln_name|contains: 'Firewall Product Not Detected'
condition: selection
level: low
# tags:
diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml
index cfb085506..88240b0ca 100644
--- a/rules/linux/auditd/lnx_auditd_audio_capture.yml
+++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml
@@ -1,27 +1,27 @@
title: Audio Capture
id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
+status: test
description: Detects attempts to record audio with arecord utility
- #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/04
references:
- - https://linux.die.net/man/1/arecord
- - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
- - https://attack.mitre.org/techniques/T1123/
-logsource:
- product: linux
- service: auditd
-detection:
- selection:
- type: EXECVE
- a0: arecord
- a1: '-vv'
- a2: '-fdat'
- condition: selection
+ - https://linux.die.net/man/1/arecord
+ - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
+ - https://attack.mitre.org/techniques/T1123/
+author: 'Pawel Mazur'
+date: 2021/09/04
+modified: 2022/10/09
tags:
- - attack.collection
- - attack.t1123
+ - attack.collection
+ - attack.t1123
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: EXECVE
+ a0: arecord
+ a1: '-vv'
+ a2: '-fdat'
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: low
diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
index ca7009ca1..4324fcfa5 100644
--- a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
+++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
@@ -1,31 +1,32 @@
title: Clipboard Collection with Xclip Tool
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
+status: test
description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/24
references:
- - https://attack.mitre.org/techniques/T1115/
- - https://linux.die.net/man/1/xclip
- - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+ - https://attack.mitre.org/techniques/T1115/
+ - https://linux.die.net/man/1/xclip
+ - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+author: 'Pawel Mazur'
+date: 2021/09/24
+modified: 2022/10/09
+tags:
+ - attack.collection
+ - attack.t1115
logsource:
- product: linux
- service: auditd
+ product: linux
+ service: auditd
detection:
selection:
type: EXECVE
a0: xclip
- a1:
+ a1:
- '-selection'
- '-sel'
- a2:
+ a2:
- clipboard
- clip
a3: '-o'
condition: selection
-tags:
- - attack.collection
- - attack.t1115
falsepositives:
- - Legitimate usage of xclip tools
+ - Legitimate usage of xclip tools
level: low
diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
index 9e3b3dce2..284237594 100644
--- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
+++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
@@ -1,32 +1,33 @@
title: Clipboard Collection of Image Data with Xclip Tool
id: f200dc3f-b219-425d-a17e-c38467364816
+status: test
description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
+references:
+ - https://attack.mitre.org/techniques/T1115/
+ - https://linux.die.net/man/1/xclip
author: 'Pawel Mazur'
-status: experimental
date: 2021/10/01
-references:
- - https://attack.mitre.org/techniques/T1115/
- - https://linux.die.net/man/1/xclip
-logsource:
- product: linux
- service: auditd
-detection:
- selection:
- type: EXECVE
- a0: xclip
- a1:
- - '-selection'
- - '-sel'
- a2:
- - clipboard
- - clip
- a3: '-t'
- a4|startswith: 'image/'
- a5: '-o'
- condition: selection
+modified: 2022/10/09
tags:
- - attack.collection
- - attack.t1115
+ - attack.collection
+ - attack.t1115
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: EXECVE
+ a0: xclip
+ a1:
+ - '-selection'
+ - '-sel'
+ a2:
+ - clipboard
+ - clip
+ a3: '-t'
+ a4|startswith: 'image/'
+ a5: '-o'
+ condition: selection
falsepositives:
- - Legitimate usage of xclip tools
-level: low
+ - Legitimate usage of xclip tools
+level: low
diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
index e2f5e16f0..16714dceb 100644
--- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
+++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
@@ -1,14 +1,12 @@
title: CVE-2021-3156 Exploitation Attempt
id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
-status: experimental
-description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. |
- Alternative approach might be to look for flooding of auditd logs due to bruteforcing |
- required to trigger the heap-based buffer overflow.
-author: Bhabesh Raj
-date: 2021/02/01
-modified: 2021/09/14
+status: test
+description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | Alternative approach might be to look for flooding of auditd logs due to bruteforcing | required to trigger the heap-based buffer overflow.
references:
- https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
+author: Bhabesh Raj
+date: 2021/02/01
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.t1068
@@ -39,4 +37,4 @@ detection:
condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
index b125fa602..eb896d63a 100644
--- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
+++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
@@ -3,15 +3,13 @@ id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2
related:
- id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
type: derived
-status: experimental
-description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. |
- Alternative approach might be to look for flooding of auditd logs due to bruteforcing |
- required to trigger the heap-based buffer overflow.
-author: Bhabesh Raj
-date: 2021/02/01
-modified: 2021/09/14
+status: test
+description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | Alternative approach might be to look for flooding of auditd logs due to bruteforcing | required to trigger the heap-based buffer overflow.
references:
- https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
+author: Bhabesh Raj
+date: 2021/02/01
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.t1068
@@ -26,4 +24,4 @@ detection:
condition: selection | count() by host > 50
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml
index 107dd0ece..5f38f1493 100644
--- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml
+++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml
@@ -1,33 +1,34 @@
title: Hidden Files and Directories
id: d08722cd-3d09-449a-80b4-83ea2d9d4616
+status: test
description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/06
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
- - https://attack.mitre.org/techniques/T1564/001/
-logsource:
- product: linux
- service: auditd
-detection:
- commands:
- type: EXECVE
- a0:
- - mkdir
- - touch
- - vim
- - nano
- - vi
- arguments:
- - a1|contains: '/.'
- - a1|startswith: '.'
- - a2|contains: '/.'
- - a2|startswith: '.'
- condition: commands and arguments
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
+ - https://attack.mitre.org/techniques/T1564/001/
+author: 'Pawel Mazur'
+date: 2021/09/06
+modified: 2022/10/09
tags:
- - attack.defense_evasion
- - attack.t1564.001
+ - attack.defense_evasion
+ - attack.t1564.001
+logsource:
+ product: linux
+ service: auditd
+detection:
+ commands:
+ type: EXECVE
+ a0:
+ - mkdir
+ - touch
+ - vim
+ - nano
+ - vi
+ arguments:
+ - a1|contains: '/.'
+ - a1|startswith: '.'
+ - a2|contains: '/.'
+ - a2|startswith: '.'
+ condition: commands and arguments
falsepositives:
- - Unknown
+ - Unknown
level: low
diff --git a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml
index 673a4608f..f47da6e3f 100644
--- a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml
+++ b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml
@@ -1,29 +1,30 @@
title: Steganography Hide Zip Information in Picture File
id: 45810b50-7edc-42ca-813b-bdac02fb946b
+status: test
description: Detects appending of zip file to image
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/09
references:
- - https://attack.mitre.org/techniques/T1027/003/
- - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
+ - https://attack.mitre.org/techniques/T1027/003/
+ - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
+author: 'Pawel Mazur'
+date: 2021/09/09
+modified: 2022/10/09
tags:
- - attack.defense_evasion
- - attack.t1027.003
-falsepositives:
- - Unknown
-level: low
+ - attack.defense_evasion
+ - attack.t1027.003
logsource:
- product: linux
- service: auditd
+ product: linux
+ service: auditd
detection:
- commands:
- type: EXECVE
- a0: cat
- a1:
- a1|endswith:
- - '.jpg'
- - '.png'
- a2:
- a2|endswith: '.zip'
- condition: commands and a1 and a2
+ commands:
+ type: EXECVE
+ a0: cat
+ a1:
+ a1|endswith:
+ - '.jpg'
+ - '.png'
+ a2:
+ a2|endswith: '.zip'
+ condition: commands and a1 and a2
+falsepositives:
+ - Unknown
+level: low
diff --git a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
index dac53cd0a..c946fd66c 100644
--- a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
+++ b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
@@ -1,17 +1,20 @@
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
+status: test
description: Detect attempt to enable auditing of TTY input
- # -w /etc/pam.d/ -p wa -k pam - This rule will help you detect changes to the pam.d files - https://github.com/Neo23x0/auditd/blob/master/audit.rules
- # The TTY events detection assumes that you do not expect them in your environment or add filtering on those users that you configured it for
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/05/24
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://attack.mitre.org/techniques/T1003/
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
+author: 'Pawel Mazur'
+date: 2021/05/24
+modified: 2022/10/09
+tags:
+ - attack.credential_access
+ - attack.t1003
+ - attack.t1056.001
logsource:
product: linux
service: auditd
@@ -26,10 +29,6 @@ detection:
- 'TTY'
- 'USER_TTY'
condition: path_events or tty_events
-tags:
- - attack.credential_access
- - attack.t1003
- - attack.t1056.001
falsepositives:
- Administrative work
level: high
diff --git a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml
index a3ca97554..8e178eaf5 100644
--- a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml
+++ b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml
@@ -3,30 +3,30 @@ id: 3761e026-f259-44e6-8826-719ed8079408
related:
- id: 3e102cd9-a70d-4a7a-9508-403963092f31
type: derived
-status: experimental
+status: test
description: Detects enumeration of local or remote network services.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020/10/21
-modified: 2021/09/14
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
+modified: 2022/10/09
tags:
- - attack.discovery
- - attack.t1046
+ - attack.discovery
+ - attack.t1046
logsource:
- product: linux
- service: auditd
- definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
+ product: linux
+ service: auditd
+ definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
detection:
- selection:
- type: 'SYSCALL'
- exe|endswith:
- - '/telnet'
- - '/nmap'
- - '/netcat'
- - '/nc'
- key: 'network_connect_4'
- condition: selection
+ selection:
+ type: 'SYSCALL'
+ exe|endswith:
+ - '/telnet'
+ - '/nmap'
+ - '/netcat'
+ - '/nc'
+ key: 'network_connect_4'
+ condition: selection
falsepositives:
- - Legitimate administration activities
+ - Legitimate administration activities
level: low
diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
index 29fe14e15..ac183e979 100644
--- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
+++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
@@ -3,7 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a
description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
status: experimental
date: 2021/09/17
-modified: 2021/11/11
+modified: 2022/10/05
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.privilege_escalation
@@ -22,7 +22,7 @@ detection:
selection:
type: 'SYSCALL'
syscall: 'execve'
- uid: '0'
+ uid: 0
cwd: '/var/opt/microsoft/scx/tmp'
comm: 'sh'
condition: selection
diff --git a/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/rules/linux/auditd/lnx_auditd_screencapture_import.yml
index f214092f1..8173ead14 100644
--- a/rules/linux/auditd/lnx_auditd_screencapture_import.yml
+++ b/rules/linux/auditd/lnx_auditd_screencapture_import.yml
@@ -1,37 +1,38 @@
title: Screen Capture with Import Tool
id: dbe4b9c5-c254-4258-9688-d6af0b7967fd
+status: test
description: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/21
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
- - https://attack.mitre.org/techniques/T1113/
- - https://linux.die.net/man/1/import
- - https://imagemagick.org/
-logsource:
- product: linux
- service: auditd
-detection:
- import:
- type: EXECVE
- a0: import
- import_window_root:
- a1: '-window'
- a2: 'root'
- a3|endswith:
- - '.png'
- - '.jpg'
- - '.jpeg'
- import_no_window_root:
- a1|endswith:
- - '.png'
- - '.jpg'
- - '.jpeg'
- condition: import and (import_window_root or import_no_window_root)
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
+ - https://attack.mitre.org/techniques/T1113/
+ - https://linux.die.net/man/1/import
+ - https://imagemagick.org/
+author: 'Pawel Mazur'
+date: 2021/09/21
+modified: 2022/10/09
tags:
- - attack.collection
- - attack.t1113
+ - attack.collection
+ - attack.t1113
+logsource:
+ product: linux
+ service: auditd
+detection:
+ import:
+ type: EXECVE
+ a0: import
+ import_window_root:
+ a1: '-window'
+ a2: 'root'
+ a3|endswith:
+ - '.png'
+ - '.jpg'
+ - '.jpeg'
+ import_no_window_root:
+ a1|endswith:
+ - '.png'
+ - '.jpg'
+ - '.jpeg'
+ condition: import and (import_window_root or import_no_window_root)
falsepositives:
- - Legitimate use of screenshot utility
-level: low
\ No newline at end of file
+ - Legitimate use of screenshot utility
+level: low
diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml
index a2a609697..924c3cd21 100644
--- a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml
+++ b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml
@@ -1,31 +1,32 @@
title: Screen Capture with Xwd
id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c
+status: test
description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/13
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
- - https://attack.mitre.org/techniques/T1113/
- - https://linux.die.net/man/1/xwd
-logsource:
- product: linux
- service: auditd
-detection:
- xwd:
- type: EXECVE
- a0: xwd
- xwd_root_window:
- a1: '-root'
- a2: '-out'
- a3|endswith: '.xwd'
- xwd_no_root_window:
- a1: '-out'
- a2|endswith: '.xwd'
- condition: xwd and (xwd_root_window or xwd_no_root_window)
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
+ - https://attack.mitre.org/techniques/T1113/
+ - https://linux.die.net/man/1/xwd
+author: 'Pawel Mazur'
+date: 2021/09/13
+modified: 2022/10/09
tags:
- - attack.collection
- - attack.t1113
+ - attack.collection
+ - attack.t1113
+logsource:
+ product: linux
+ service: auditd
+detection:
+ xwd:
+ type: EXECVE
+ a0: xwd
+ xwd_root_window:
+ a1: '-root'
+ a2: '-out'
+ a3|endswith: '.xwd'
+ xwd_no_root_window:
+ a1: '-out'
+ a2|endswith: '.xwd'
+ condition: xwd and (xwd_root_window or xwd_no_root_window)
falsepositives:
- - Legitimate use of screenshot utility
+ - Legitimate use of screenshot utility
level: low
diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
index cc4cd5189..2807137ad 100644
--- a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
+++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
@@ -1,30 +1,31 @@
title: Steganography Hide Files with Steghide
id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
+status: test
description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/11
references:
- - https://attack.mitre.org/techniques/T1027/003/
- - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+ - https://attack.mitre.org/techniques/T1027/003/
+ - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+author: 'Pawel Mazur'
+date: 2021/09/11
+modified: 2022/10/09
tags:
- - attack.defense_evasion
- - attack.t1027.003
-falsepositives:
- - Unknown
-level: low
+ - attack.defense_evasion
+ - attack.t1027.003
logsource:
- product: linux
- service: auditd
+ product: linux
+ service: auditd
detection:
- selection:
- type: EXECVE
- a0: steghide
- a1: embed
- a2:
- - '-cf'
- - '-ef'
- a4:
- - '-cf'
- - '-ef'
- condition: selection
+ selection:
+ type: EXECVE
+ a0: steghide
+ a1: embed
+ a2:
+ - '-cf'
+ - '-ef'
+ a4:
+ - '-cf'
+ - '-ef'
+ condition: selection
+falsepositives:
+ - Unknown
+level: low
diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
index cd596493c..d517ce5d2 100644
--- a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
+++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
@@ -1,28 +1,29 @@
title: Steganography Extract Files with Steghide
id: a5a827d9-1bbe-4952-9293-c59d897eb41b
+status: test
description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/11
references:
- - https://attack.mitre.org/techniques/T1027/003/
- - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+ - https://attack.mitre.org/techniques/T1027/003/
+ - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+author: 'Pawel Mazur'
+date: 2021/09/11
+modified: 2022/10/09
tags:
- - attack.defense_evasion
- - attack.t1027.003
-falsepositives:
- - Unknown
-level: low
+ - attack.defense_evasion
+ - attack.t1027.003
logsource:
- product: linux
- service: auditd
+ product: linux
+ service: auditd
detection:
- selection:
- type: EXECVE
- a0: steghide
- a1: extract
- a2: '-sf'
- a3|endswith:
- - '.jpg'
- - '.png'
- condition: selection
+ selection:
+ type: EXECVE
+ a0: steghide
+ a1: extract
+ a2: '-sf'
+ a3|endswith:
+ - '.jpg'
+ - '.png'
+ condition: selection
+falsepositives:
+ - Unknown
+level: low
diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
index b8c330a13..6cebe1dd7 100644
--- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml
+++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
@@ -4,33 +4,33 @@ status: test
description: Detects relevant commands often related to malware or hacking activity
author: Florian Roth
references:
- - Internal Research - mostly derived from exploit code including code in MSF
+ - Internal Research - mostly derived from exploit code including code in MSF
date: 2017/12/12
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- product: linux
- service: auditd
+ product: linux
+ service: auditd
detection:
- cmd1:
- type: 'EXECVE'
- a0: 'chmod'
- a1: '777'
- cmd2:
- type: 'EXECVE'
- a0: 'chmod'
- a1: 'u+s'
- cmd3:
- type: 'EXECVE'
- a0: 'cp'
- a1: '/bin/ksh'
- cmd4:
- type: 'EXECVE'
- a0: 'cp'
- a1: '/bin/sh'
- condition: 1 of cmd*
+ cmd1:
+ type: 'EXECVE'
+ a0: 'chmod'
+ a1: 777
+ cmd2:
+ type: 'EXECVE'
+ a0: 'chmod'
+ a1: 'u+s'
+ cmd3:
+ type: 'EXECVE'
+ a0: 'cp'
+ a1: '/bin/ksh'
+ cmd4:
+ type: 'EXECVE'
+ a0: 'cp'
+ a1: '/bin/sh'
+ condition: 1 of cmd*
falsepositives:
- - Admin activity
+ - Admin activity
level: medium
tags:
- - attack.execution
- - attack.t1059.004
+ - attack.execution
+ - attack.t1059.004
diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
index a16a9e39c..ccfa1dd97 100644
--- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
+++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
@@ -1,31 +1,32 @@
title: System Information Discovery
id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
+status: test
description: Detects System Information Discovery commands
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/03
references:
- - https://attack.mitre.org/techniques/T1082/
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
-logsource:
- product: linux
- service: auditd
-detection:
- selection:
- type: PATH
- name:
- - /etc/lsb-release
- - /etc/redhat-release
- - /etc/issue
- selection2:
- type: EXECVE
- a0:
- - uname
- - uptime
- condition: selection or selection2
+ - https://attack.mitre.org/techniques/T1082/
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
+author: 'Pawel Mazur'
+date: 2021/09/03
+modified: 2022/10/09
tags:
- - attack.discovery
- - attack.t1082
+ - attack.discovery
+ - attack.t1082
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: PATH
+ name:
+ - /etc/lsb-release
+ - /etc/redhat-release
+ - /etc/issue
+ selection2:
+ type: EXECVE
+ a0:
+ - uname
+ - uptime
+ condition: selection or selection2
falsepositives:
- - Legitimate administrative activity
+ - Legitimate administrative activity
level: low
diff --git a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml
index 6f81b3481..64e37597f 100644
--- a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml
+++ b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml
@@ -4,30 +4,30 @@ status: test
description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
author: 'Igor Fits, oscd.community'
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
date: 2020/10/15
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- product: linux
- service: auditd
+ product: linux
+ service: auditd
detection:
- execve:
- type: 'EXECVE'
- shutdowncmd:
- - 'shutdown'
- - 'reboot'
- - 'halt'
- - 'poweroff'
- init:
- - 'init'
- - 'telinit'
- initselection:
- - '0'
- - '6'
- condition: execve and (shutdowncmd or (init and initselection))
+ execve:
+ type: 'EXECVE'
+ shutdowncmd:
+ - 'shutdown'
+ - 'reboot'
+ - 'halt'
+ - 'poweroff'
+ init:
+ - 'init'
+ - 'telinit'
+ initselection:
+ - 0
+ - 6
+ condition: execve and (shutdowncmd or (init and initselection))
falsepositives:
- - Legitimate administrative activity
+ - Legitimate administrative activity
level: informational
tags:
- - attack.impact
- - attack.t1529
+ - attack.impact
+ - attack.t1529
diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml
index 6673e20bf..8c95efe91 100644
--- a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml
+++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml
@@ -1,27 +1,28 @@
title: Steganography Unzip Hidden Information From Picture File
id: edd595d7-7895-4fa7-acb3-85a18a8772ca
+status: test
description: Detects extracting of zip file from image file
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/09
references:
- - https://attack.mitre.org/techniques/T1027/003/
- - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
+ - https://attack.mitre.org/techniques/T1027/003/
+ - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
+author: 'Pawel Mazur'
+date: 2021/09/09
+modified: 2022/10/09
tags:
- - attack.defense_evasion
- - attack.t1027.003
-falsepositives:
- - Unknown
-level: low
+ - attack.defense_evasion
+ - attack.t1027.003
logsource:
- product: linux
- service: auditd
+ product: linux
+ service: auditd
detection:
- commands:
- type: EXECVE
- a0: unzip
- a1:
- a1|endswith:
- - '.jpg'
- - '.png'
- condition: commands and a1
+ commands:
+ type: EXECVE
+ a0: unzip
+ a1:
+ a1|endswith:
+ - '.jpg'
+ - '.png'
+ condition: commands and a1
+falsepositives:
+ - Unknown
+level: low
diff --git a/rules/linux/builtin/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml
index ac9fa13cd..949b736f7 100644
--- a/rules/linux/builtin/lnx_clear_syslog.yml
+++ b/rules/linux/builtin/lnx_clear_syslog.yml
@@ -1,11 +1,12 @@
title: Commands to Clear or Remove the Syslog
id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
-status: experimental
+status: test
description: Detects specific commands commonly used to remove or empty the syslog
-author: Max Altgelt
-date: 2021/09/10
references:
- https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
+author: Max Altgelt
+date: 2021/09/10
+modified: 2022/10/09
tags:
- attack.impact
- attack.t1565.001
diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml
index 2ddcb6d07..91bd27cfd 100644
--- a/rules/linux/builtin/lnx_ldso_preload_injection.yml
+++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml
@@ -1,11 +1,16 @@
title: Code Injection by ld.so Preload
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
-status: experimental
+status: test
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
-author: Christian Burkard
-date: 2021/05/05
references:
- https://man7.org/linux/man-pages/man8/ld.so.8.html
+author: Christian Burkard
+date: 2021/05/05
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1574.006
logsource:
product: linux
detection:
@@ -15,7 +20,3 @@ detection:
falsepositives:
- Rare temporary workaround for library misconfiguration
level: high
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1574.006
\ No newline at end of file
diff --git a/rules/linux/builtin/lnx_proxy_connection.yml b/rules/linux/builtin/lnx_proxy_connection.yml
deleted file mode 100644
index 8a527c94b..000000000
--- a/rules/linux/builtin/lnx_proxy_connection.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-title: Connection Proxy
-id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
-status: test
-description: Detects setting proxy
-author: Ömer Günal
-references:
- - https://attack.mitre.org/techniques/T1090/
-date: 2020/06/17
-modified: 2021/11/27
-logsource:
- product: linux
-detection:
- keywords:
- - 'http_proxy=*'
- - 'https_proxy=*'
- condition: keywords
-falsepositives:
- - Legitimate administration activities
-level: low
-tags:
- - attack.defense_evasion
diff --git a/rules/linux/builtin/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml
index dd7cbc8c6..d3851a0bd 100644
--- a/rules/linux/builtin/lnx_shellshock.yml
+++ b/rules/linux/builtin/lnx_shellshock.yml
@@ -1,16 +1,19 @@
title: Shellshock Expression
id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
-status: experimental
+status: test
description: Detects shellshock expressions in log files
-author: Florian Roth
-date: 2017/03/14
-modified: 2021/04/28
references:
- https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
+author: Florian Roth
+date: 2017/03/14
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1505.003
logsource:
product: linux
detection:
- keywords:
+ keywords:
- '(){:;};'
- '() {:;};'
- '() { :;};'
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1505.003
\ No newline at end of file
diff --git a/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml
index f17f91022..e6dae1231 100644
--- a/rules/linux/other/lnx_security_tools_disabling_syslog.yml
+++ b/rules/linux/other/lnx_security_tools_disabling_syslog.yml
@@ -7,7 +7,7 @@ status: experimental
description: Detects disabling security tools
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020/06/17
-modified: 2021/09/14
+modified: 2022/10/05
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
tags:
@@ -16,13 +16,13 @@ tags:
logsource:
product: linux
service: syslog
-detection:
+detection:
keywords:
- - '*stopping iptables*'
- - '*stopping ip6tables*'
- - '*stopping firewalld*'
- - '*stopping cbdaemon*'
- - '*stopping falcon-sensor*'
+ - 'stopping iptables'
+ - 'stopping ip6tables'
+ - 'stopping firewalld'
+ - 'stopping cbdaemon'
+ - 'stopping falcon-sensor'
condition: keywords
falsepositives:
- Legitimate administration activities
diff --git a/rules/linux/other/lnx_susp_named.yml b/rules/linux/other/lnx_susp_named.yml
index 00b29a3dd..ad641f578 100644
--- a/rules/linux/other/lnx_susp_named.yml
+++ b/rules/linux/other/lnx_susp_named.yml
@@ -4,21 +4,21 @@ status: test
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
author: Florian Roth
references:
- - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
+ - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
date: 2018/02/20
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- product: linux
- service: syslog
+ product: linux
+ service: syslog
detection:
- keywords:
- - '* dropping source port zero packet from *'
- - '* denied AXFR from *'
- - '* exiting (due to fatal error)*'
- condition: keywords
+ keywords:
+ - ' dropping source port zero packet from '
+ - ' denied AXFR from '
+ - ' exiting (due to fatal error)'
+ condition: keywords
falsepositives:
- - Unknown
+ - Unknown
level: high
tags:
- - attack.initial_access
- - attack.t1190
+ - attack.initial_access
+ - attack.t1190
diff --git a/rules/linux/other/lnx_susp_ssh.yml b/rules/linux/other/lnx_susp_ssh.yml
index 4a9c96e12..cecc4cd00 100644
--- a/rules/linux/other/lnx_susp_ssh.yml
+++ b/rules/linux/other/lnx_susp_ssh.yml
@@ -4,30 +4,30 @@ status: test
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
author: Florian Roth
references:
- - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
- - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
+ - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
+ - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
date: 2017/06/30
modified: 2021/11/27
logsource:
- product: linux
- service: sshd
+ product: linux
+ service: sshd
detection:
- keywords:
- - '*unexpected internal error*'
- - '*unknown or unsupported key type*'
- - '*invalid certificate signing key*'
- - '*invalid elliptic curve value*'
- - '*incorrect signature*'
- - '*error in libcrypto*'
- - '*unexpected bytes remain after decoding*'
- - '*fatal: buffer_get_string: bad string*'
- - '*Local: crc32 compensation attack*'
- - '*bad client public DH value*'
- - '*Corrupted MAC on input*'
- condition: keywords
+ keywords:
+ - 'unexpected internal error'
+ - 'unknown or unsupported key type'
+ - 'invalid certificate signing key'
+ - 'invalid elliptic curve value'
+ - 'incorrect signature'
+ - 'error in libcrypto'
+ - 'unexpected bytes remain after decoding'
+ - 'fatal: buffer_get_string: bad string'
+ - 'Local: crc32 compensation attack'
+ - 'bad client public DH value'
+ - 'Corrupted MAC on input'
+ condition: keywords
falsepositives:
- - Unknown
+ - Unknown
level: medium
tags:
- - attack.initial_access
- - attack.t1190
+ - attack.initial_access
+ - attack.t1190
diff --git a/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml b/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml
index 4d895d4c4..15b4cbead 100644
--- a/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml
@@ -1,12 +1,12 @@
title: Linux Network Service Scanning
id: 3e102cd9-a70d-4a7a-9508-403963092f31
-status: experimental
+status: test
description: Detects enumeration of local or remote network services.
-author: Alejandro Ortuno, oscd.community
-date: 2020/10/21
-modified: 2021/09/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1046
diff --git a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
index c0ecca6f2..52e51464f 100644
--- a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
@@ -3,6 +3,7 @@ id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
status: experimental
description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
date: 2021/10/15
+modified: 2022/10/05
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
tags:
- attack.privilege_escalation
@@ -20,7 +21,7 @@ logsource:
detection:
selection:
User: root
- LogonId: '0'
+ LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
condition: selection
diff --git a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
index cb500dd68..7c0f44997 100644
--- a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
@@ -3,6 +3,7 @@ id: 21541900-27a9-4454-9c4c-3f0a4240344a
status: experimental
description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
date: 2021/10/15
+modified: 2022/10/05
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
tags:
- attack.privilege_escalation
@@ -20,7 +21,7 @@ logsource:
detection:
selection:
User: root
- LogonId: '0'
+ LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/bin/sh'
condition: selection
diff --git a/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml
new file mode 100644
index 000000000..146dcc2e9
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml
@@ -0,0 +1,24 @@
+title: Connection Proxy
+id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
+status: test
+description: Detects setting proxy configuration
+author: Ömer Günal
+references:
+ - https://attack.mitre.org/techniques/T1090/
+date: 2020/06/17
+modified: 2022/10/05
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ CommandLine|contains:
+ - 'http_proxy='
+ - 'https_proxy='
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.defense_evasion
+ - attack.t1090
diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml
index e48f83c9b..fa83e7f38 100644
--- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml
@@ -1,12 +1,12 @@
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
-status: experimental
+status: test
description: Detects disabling security tools
-author: Ömer Günal, Alejandro Ortuno, oscd.community
-date: 2020/06/17
-modified: 2021/09/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/06/17
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.004
diff --git a/rules/linux/builtin/lnx_setgid_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml
similarity index 68%
rename from rules/linux/builtin/lnx_setgid_setuid.yml
rename to rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml
index 836a45c03..51f94f335 100644
--- a/rules/linux/builtin/lnx_setgid_setuid.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml
@@ -7,17 +7,18 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
- https://attack.mitre.org/techniques/T1548/001/
date: 2020/06/16
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
product: linux
+ category: process_creation
detection:
- selection1:
- - '*chown root*'
- selection2:
- - '* chmod u+s*'
- selection3:
- - '* chmod g+s*'
- condition: (selection1 and selection2) or (selection1 and selection3)
+ selection_root:
+ CommandLine|contains: 'chown root'
+ selection_perm:
+ CommandLine|contains:
+ - ' chmod u+s'
+ - ' chmod g+s'
+ condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: low
diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml
similarity index 81%
rename from rules/linux/builtin/lnx_sudo_cve_2019_14287.yml
rename to rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml
index b059c59d0..7e2b888f7 100644
--- a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml
@@ -4,22 +4,23 @@ status: experimental
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
author: Florian Roth
date: 2019/10/15
-modified: 2021/09/14
+modified: 2022/10/05
references:
- https://www.openwall.com/lists/oss-security/2019/10/14/1
- https://access.redhat.com/security/cve/cve-2019-14287
- https://twitter.com/matthieugarin/status/1183970598210412546
logsource:
product: linux
+ category: process_creation
tags:
- attack.privilege_escalation
- attack.t1068
- attack.t1548.003
- cve.2019.14287
detection:
- selection_keywords:
- - '* -u#*'
- condition: selection_keywords
+ selection:
+ CommandLine|contains: ' -u#'
+ condition: selection
falsepositives:
- Unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml b/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml
index cc89eebfe..cf04547cd 100644
--- a/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml
+++ b/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml
@@ -1,13 +1,16 @@
title: Suspicious MacOS Firmware Activity
id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099
-status: experimental
+status: test
description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
-author: Austin Songer @austinsonger
-date: 2021/09/30
references:
- https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
- https://www.manpagez.com/man/8/firmwarepasswd/
- https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
+author: Austin Songer @austinsonger
+date: 2021/09/30
+modified: 2022/10/09
+tags:
+ - attack.impact
logsource:
category: process_creation
product: macos
@@ -23,5 +26,3 @@ detection:
falsepositives:
- Legitimate administration activities
level: medium
-tags:
- - attack.impact
diff --git a/rules/network/dns/net_dns_high_bytes_out.yml b/rules/network/dns/net_dns_high_bytes_out.yml
index 86cd973f6..bc2cdb6d6 100644
--- a/rules/network/dns/net_dns_high_bytes_out.yml
+++ b/rules/network/dns/net_dns_high_bytes_out.yml
@@ -1,10 +1,10 @@
title: High DNS Bytes Out
id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
-status: experimental
+status: test
description: High DNS queries bytes amount from host per short period of time
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.t1048.003
@@ -17,4 +17,4 @@ detection:
condition: selection | sum(question_length) by src_ip > 300000
falsepositives:
- Legitimate high DNS bytes out rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/network/dns/net_dns_high_requests_rate.yml b/rules/network/dns/net_dns_high_requests_rate.yml
index 20dd6a519..1c1be6861 100644
--- a/rules/network/dns/net_dns_high_requests_rate.yml
+++ b/rules/network/dns/net_dns_high_requests_rate.yml
@@ -1,10 +1,10 @@
title: High DNS Requests Rate
id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
-status: experimental
+status: test
description: High DNS requests amount from host per short period of time
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.t1048.003
@@ -19,4 +19,4 @@ detection:
condition: selection | count() by src_ip > 1000
falsepositives:
- Legitimate high DNS requests rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/network/dns/net_dns_mal_cobaltstrike.yml b/rules/network/dns/net_dns_mal_cobaltstrike.yml
index a7c46dd46..09545969f 100644
--- a/rules/network/dns/net_dns_mal_cobaltstrike.yml
+++ b/rules/network/dns/net_dns_mal_cobaltstrike.yml
@@ -1,19 +1,22 @@
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
-status: experimental
+status: test
description: Detects suspicious DNS queries known from Cobalt Strike beacons
-author: Florian Roth
-date: 2018/05/10
-modified: 2021/03/24
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+author: Florian Roth
+date: 2018/05/10
+modified: 2022/10/09
+tags:
+ - attack.command_and_control
+ - attack.t1071.004
logsource:
category: dns
detection:
selection1:
query|startswith:
- - 'aaa.stage.'
+ - 'aaa.stage.'
- 'post.1'
selection2:
query|contains: '.stage.123456.'
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: critical
-tags:
- - attack.command_and_control
- - attack.t1071.004
diff --git a/rules/network/dns/net_dns_susp_b64_queries.yml b/rules/network/dns/net_dns_susp_b64_queries.yml
index 76cbf9663..8d929173e 100644
--- a/rules/network/dns/net_dns_susp_b64_queries.yml
+++ b/rules/network/dns/net_dns_susp_b64_queries.yml
@@ -1,12 +1,17 @@
title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
-status: experimental
+status: test
description: Detects suspicious DNS queries using base64 encoding
-author: Florian Roth
-date: 2018/05/10
-modified: 2021/08/09
references:
- https://github.com/krmaxwell/dns-exfiltration
+author: Florian Roth
+date: 2018/05/10
+modified: 2022/10/09
+tags:
+ - attack.exfiltration
+ - attack.t1048.003
+ - attack.command_and_control
+ - attack.t1071.004
logsource:
category: dns
detection:
@@ -16,8 +21,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.exfiltration
- - attack.t1048.003
- - attack.command_and_control
- - attack.t1071.004
diff --git a/rules/network/dns/net_dns_susp_telegram_api.yml b/rules/network/dns/net_dns_susp_telegram_api.yml
index b37de31a3..46d88cedb 100644
--- a/rules/network/dns/net_dns_susp_telegram_api.yml
+++ b/rules/network/dns/net_dns_susp_telegram_api.yml
@@ -1,15 +1,18 @@
title: Telegram Bot API Request
id: c64c5175-5189-431b-a55e-6d9882158251
-status: experimental
+status: test
description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
-author: Florian Roth
-date: 2018/06/05
-modified: 2021/08/09
references:
- https://core.telegram.org/bots/faq
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+modified: 2022/10/09
+tags:
+ - attack.command_and_control
+ - attack.t1102.002
logsource:
category: dns
detection:
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
-tags:
- - attack.command_and_control
- - attack.t1102.002
\ No newline at end of file
diff --git a/rules/network/firewall/net_firewall_high_dns_bytes_out.yml b/rules/network/firewall/net_firewall_high_dns_bytes_out.yml
index 1b5e3bf9f..da3ba2036 100644
--- a/rules/network/firewall/net_firewall_high_dns_bytes_out.yml
+++ b/rules/network/firewall/net_firewall_high_dns_bytes_out.yml
@@ -1,10 +1,10 @@
title: High DNS Bytes Out
id: 3b6e327d-8649-4102-993f-d25786481589
-status: experimental
+status: test
description: High DNS queries bytes amount from host per short period of time
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.t1048.003
@@ -17,4 +17,4 @@ detection:
condition: selection | sum(message_size) by src_ip > 300000
falsepositives:
- Legitimate high DNS bytes out rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/network/firewall/net_firewall_high_dns_requests_rate.yml b/rules/network/firewall/net_firewall_high_dns_requests_rate.yml
index b57f3feca..274f5f5ca 100644
--- a/rules/network/firewall/net_firewall_high_dns_requests_rate.yml
+++ b/rules/network/firewall/net_firewall_high_dns_requests_rate.yml
@@ -1,10 +1,10 @@
title: High DNS Requests Rate
id: 51186749-7415-46be-90e5-6914865c825a
-status: experimental
+status: test
description: High DNS requests amount from host per short period of time
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.t1048.003
@@ -13,10 +13,10 @@ tags:
logsource:
category: firewall
detection:
- selection:
+ selection:
dst_port: 53
timeframe: 1m
condition: selection | count() by src_ip > 1000
falsepositives:
- Legitimate high DNS requests rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml b/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml
index 8037e1b0a..91f6943b2 100644
--- a/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml
+++ b/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml
@@ -1,15 +1,15 @@
title: Network Scans Count By Destination Port
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
-status: experimental
+status: test
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
-modified: 2021/09/21
-logsource:
- category: firewall
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1046
+logsource:
+ category: firewall
detection:
selection:
action: denied
@@ -22,4 +22,4 @@ level: medium
fields:
- src_ip
- dst_ip
- - dst_port
\ No newline at end of file
+ - dst_port
diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
index c8baf1ae0..ee86156b6 100644
--- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
+++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
@@ -1,18 +1,19 @@
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
+status: test
description: |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
-status: experimental
-author: '@neu5ron, @Antonlovesdnb, Mike Remen'
-date: 2021/08/17
references:
- https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
- https://threatpost.com/microsoft-petitpotam-poc/168163/
+author: '@neu5ron, @Antonlovesdnb, Mike Remen'
+date: 2021/08/17
+modified: 2022/10/09
tags:
- attack.t1557.001
- attack.t1187
@@ -25,6 +26,9 @@ detection:
- 'Efs'
- 'efs'
condition: selection
+falsepositives:
+ - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
+level: medium
fields:
- id.orig_h
- id.resp_h
@@ -33,6 +37,3 @@ fields:
- endpoint
- named_pipe
- uid
-falsepositives:
- - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
-level: medium
diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
index b9f7565d5..3e3c14fb1 100644
--- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
+++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
@@ -1,17 +1,17 @@
title: SMB Spoolss Name Piped Usage
id: bae2865c-5565-470d-b505-9496c87d0c30
+status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
-status: experimental
-author: OTR (Open Threat Research), @neu5ron
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
+author: OTR (Open Threat Research), @neu5ron
+date: 2018/11/28
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.t1021.002
-date: 2018/11/28
-modified: 2021/08/23
logsource:
product: zeek
service: smb_files
diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
index 2178cd31e..e6b75163e 100644
--- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
+++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
@@ -1,26 +1,26 @@
title: Default Cobalt Strike Certificate
id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
+status: test
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
-status: experimental
+references:
+ - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
author: Bhabesh Raj
date: 2021/06/23
-modified: 2021/08/24
-references:
- - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
+modified: 2022/10/09
tags:
- - attack.command_and_control
- - attack.s0154
+ - attack.command_and_control
+ - attack.s0154
logsource:
- product: zeek
- service: x509
+ product: zeek
+ service: x509
detection:
- selection:
- certificate.serial: 8BB00EE
- condition: selection
+ selection:
+ certificate.serial: 8BB00EE
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
fields:
- san.dns
- certificate.subject
- certificate.issuer
-falsepositives:
- - Unknown
-level: high
diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
index 306a153b0..093d43e92 100644
--- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
+++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
@@ -3,69 +3,69 @@ id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
status: experimental
date: 2021/05/04
-modified: 2022/02/24
+modified: 2022/10/05
references:
- - 'https://twitter.com/neu5ron/status/1346245602502443009'
- - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
- - 'https://tools.ietf.org/html/rfc2929#section-2.1'
- - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
+ - 'https://twitter.com/neu5ron/status/1346245602502443009'
+ - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
+ - 'https://tools.ietf.org/html/rfc2929#section-2.1'
+ - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
author: '@neu5ron, SOC Prime Team, Corelight'
tags:
- - attack.t1095
- - attack.t1571
- - attack.command_and_control
+ - attack.t1095
+ - attack.t1571
+ - attack.command_and_control
logsource:
- product: zeek
- service: dns
+ product: zeek
+ service: dns
detection:
- z_flag_unset:
- Z: '0'
- most_probable_valid_domain:
- query|contains: '.'
- exclude_tlds:
- query|endswith:
- - '.arpa'
- - '.local'
- - '.ultradns.net'
- - '.twtrdns.net'
- - '.azuredns-prd.info'
- - '.azure-dns.com'
- - '.azuredns-ff.info'
- - '.azuredns-ff.org'
- - '.azuregov-dns.org'
- exclude_query_types:
- qtype_name:
- - 'NS'
- - 'ns'
- - 'MX'
- - 'mx'
- exclude_responses:
- answers|endswith: '\\x00'
- exclude_netbios:
- id.resp_p:
- - '137'
- - '138'
- - '139'
- condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
+ z_flag_unset:
+ Z: 0
+ most_probable_valid_domain:
+ query|contains: '.'
+ exclude_tlds:
+ query|endswith:
+ - '.arpa'
+ - '.local'
+ - '.ultradns.net'
+ - '.twtrdns.net'
+ - '.azuredns-prd.info'
+ - '.azure-dns.com'
+ - '.azuredns-ff.info'
+ - '.azuredns-ff.org'
+ - '.azuregov-dns.org'
+ exclude_query_types:
+ qtype_name:
+ - 'NS'
+ - 'ns'
+ - 'MX'
+ - 'mx'
+ exclude_responses:
+ answers|endswith: '\\x00'
+ exclude_netbios:
+ id.resp_p:
+ - 137
+ - 138
+ - 139
+ condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
falsepositives:
- - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
- - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
+ - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
+ - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
level: medium
fields:
- - ts
- - id.orig_h
- - id.orig_p
- - id.resp_h
- - id.resp_p
- - proto
- - qtype_name
- - qtype
- - query
- - answers
- - rcode
- - rcode_name
- - trans_id
- - qtype
- - ttl
- - AA
- - uid
+ - ts
+ - id.orig_h
+ - id.orig_p
+ - id.resp_h
+ - id.resp_p
+ - proto
+ - qtype_name
+ - qtype
+ - query
+ - answers
+ - rcode
+ - rcode_name
+ - trans_id
+ - qtype
+ - ttl
+ - AA
+ - uid
diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml
index 7807a9568..b6cc2cd3a 100644
--- a/rules/network/zeek/zeek_dns_torproxy.yml
+++ b/rules/network/zeek/zeek_dns_torproxy.yml
@@ -1,11 +1,14 @@
title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
+status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
-status: experimental
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
-date: 2021/08/15
author: Saw Winn Naung , Azure-Sentinel
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+ - attack.t1048
logsource:
service: dns
product: zeek
@@ -45,10 +48,8 @@ detection:
- 's5.tor-gateways.de'
- 'hiddenservice.net'
condition: selection
-fields:
- - clientip
falsepositives:
- Unknown
level: medium
-tags:
- - attack.t1048
\ No newline at end of file
+fields:
+ - clientip
diff --git a/rules/proxy/proxy_apt_domestic_kitten.yml b/rules/proxy/proxy_apt_domestic_kitten.yml
index 963c9efe7..f913e2d4b 100644
--- a/rules/proxy/proxy_apt_domestic_kitten.yml
+++ b/rules/proxy/proxy_apt_domestic_kitten.yml
@@ -1,26 +1,27 @@
title: Domestic Kitten FurBall Malware Pattern
id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1
-status: experimental
+status: test
description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
-author: Florian Roth
references:
- https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
+author: Florian Roth
date: 2021/02/08
+modified: 2022/10/09
tags:
- attack.command_and_control
logsource:
category: proxy
detection:
selection:
- c-uri|contains:
+ c-uri|contains:
- 'Get~~~AllBrowser'
- 'Get~~~HardwareInfo'
- 'Take~~RecordCall'
- 'Reset~~~AllCommand'
condition: selection
-fields:
- - c-ip
- - c-uri
falsepositives:
- Unlikely
level: high
+fields:
+ - c-ip
+ - c-uri
diff --git a/rules/web/web_cve_2010_5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml
index 7b97de252..bf5fc56a4 100644
--- a/rules/web/web_cve_2010_5278_exploitation_attempt.yml
+++ b/rules/web/web_cve_2010_5278_exploitation_attempt.yml
@@ -1,24 +1,22 @@
title: CVE-2010-5278 Exploitation Attempt
id: a4a899e8-fd7a-49dd-b5a8-7044def72d61
+status: test
+description: MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
+references:
+ - https://github.com/projectdiscovery/nuclei-templates
author: Subhash Popuri (@pbssubhash)
date: 2021/08/25
-status: experimental
-description: MODx manager - Local File Inclusion:Directory traversal vulnerability
- in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and
- possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to
- read arbitrary files via a .. (dot dot) in the class_key parameter.
-references:
- - https://github.com/projectdiscovery/nuclei-templates
-logsource:
- category: webserver
-detection:
- selection:
- c-uri|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
- condition: selection
-falsepositives:
- - Scanning from Nuclei
- - Unknown
+modified: 2022/10/09
tags:
- - attack.initial_access
- - attack.t1190
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ category: webserver
+detection:
+ selection:
+ c-uri|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
+ condition: selection
+falsepositives:
+ - Scanning from Nuclei
+ - Unknown
level: critical
diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml
index 40b443f54..f8a9ca3cc 100644
--- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml
+++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml
@@ -1,28 +1,28 @@
title: Oracle WebLogic Exploit
id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
-status: experimental
+status: test
description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
-author: Florian Roth
-date: 2018/07/22
-modified: 2021/08/09
references:
- https://twitter.com/pyn3rd/status/1020620932967223296
- https://github.com/LandGrey/CVE-2018-2894
-logsource:
- category: webserver
-detection:
- selection:
- c-uri: '*/config/keystore/*.js*'
- condition: selection
-fields:
- - c-ip
- - c-dns
-falsepositives:
- - Unknown
-level: critical
+author: Florian Roth
+date: 2018/07/22
+modified: 2022/10/09
tags:
- attack.t1190
- attack.initial_access
- attack.persistence
- attack.t1505.003
- cve.2018.2894
+logsource:
+ category: webserver
+detection:
+ selection:
+ c-uri: '*/config/keystore/*.js*'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml b/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml
index 1412d23d8..fbed88918 100644
--- a/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml
+++ b/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml
@@ -1,12 +1,17 @@
title: TerraMaster TOS CVE-2020-28188
id: 15c312b9-00d0-4feb-8870-7d940a4bdc5e
-status: experimental
+status: test
description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
-author: Bhabesh Raj
-date: 2021/01/25
references:
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
+author: Bhabesh Raj
+date: 2021/01/25
+modified: 2022/10/09
+tags:
+ - attack.t1190
+ - attack.initial_access
+ - cve.2020.28188
logsource:
category: webserver
detection:
@@ -24,13 +29,9 @@ detection:
- 'chmod'
- '_GET'
condition: base_url and payload
-fields:
- - c-ip
- - c-dns
falsepositives:
- Unknown
level: high
-tags:
- - attack.t1190
- - attack.initial_access
- - cve.2020.28188
\ No newline at end of file
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml
index 98eb7aa2e..939792627 100644
--- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml
+++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml
@@ -1,12 +1,17 @@
title: Cisco ASA FTD Exploit CVE-2020-3452
id: aba47adc-4847-4970-95c1-61dce62a8b29
-status: experimental
+status: test
description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
-author: Florian Roth
-date: 2021/01/07
references:
- https://twitter.com/aboul3la/status/1286012324722155525
- https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
+author: Florian Roth
+date: 2021/01/07
+modified: 2022/10/09
+tags:
+ - attack.t1190
+ - attack.initial_access
+ - cve.2020.3452
logsource:
category: webserver
detection:
@@ -23,13 +28,9 @@ detection:
select_status_code:
sc-status: 200
condition: selection_endpoint and selection_path_select and select_status_code
-fields:
- - c-ip
- - c-dns
falsepositives:
- Unknown
level: high
-tags:
- - attack.t1190
- - attack.initial_access
- - cve.2020.3452
\ No newline at end of file
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml b/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml
index 4e74868c8..e24f7c6e3 100644
--- a/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml
+++ b/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml
@@ -1,14 +1,17 @@
title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
-description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
-author: Florian Roth
-status: experimental
-date: 2020/07/10
-modified: 2021/08/09
+status: test
+description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
references:
- https://support.citrix.com/article/CTX276688
- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
- https://dmaasland.github.io/posts/citrix.html
+author: Florian Roth
+date: 2020/07/10
+modified: 2022/10/09
+tags:
+ - attack.initial_access
+ - attack.t1190
logsource:
category: webserver
detection:
@@ -20,14 +23,11 @@ detection:
- 'type=all_signatures'
- 'sig_name=_default_signature_'
condition: 1 of selection*
+falsepositives:
+ - Unknown
+level: critical
fields:
- client_ip
- vhost
- url
- response
-falsepositives:
- - Unknown
-level: critical
-tags:
- - attack.initial_access
- - attack.t1190
diff --git a/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml b/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml
index 4cf8badf1..875dda874 100644
--- a/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml
+++ b/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml
@@ -1,40 +1,40 @@
title: Arcadyan Router Exploitations
id: f0500377-bc70-425d-ac8c-e956cd906871
-status: experimental
+status: test
description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
references:
- - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- - https://www.tenable.com/security/research/tra-2021-13
- - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
+ - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
+ - https://www.tenable.com/security/research/tra-2021-13
+ - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
author: Bhabesh Raj
date: 2021/08/24
-modified: 2021/08/25
-falsepositives:
- - Unknown
-level: critical
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1190
- cve.2021.20090
- cve.2021.20091
logsource:
- category: webserver
+ category: webserver
detection:
- path_traversal:
+ path_traversal:
# CVE-2021-20090 (Bypass Auth: Path Traversal)
- c-uri|contains: '..%2f'
- config_file_inj:
- c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
- - '..%2f'
- - 'apply_abstract.cgi'
- noauth_list:
- c-uri|contains:
- - '/images/'
- - '/js/'
- - '/css/'
- - '/setup_top_login.htm'
- - '/login.html'
- - '/loginerror.html'
- - '/loginexclude.html'
- - '/loginlock.html'
- condition: (path_traversal or config_file_inj) and noauth_list
\ No newline at end of file
+ c-uri|contains: '..%2f'
+ config_file_inj:
+ c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
+ - '..%2f'
+ - 'apply_abstract.cgi'
+ noauth_list:
+ c-uri|contains:
+ - '/images/'
+ - '/js/'
+ - '/css/'
+ - '/setup_top_login.htm'
+ - '/login.html'
+ - '/loginerror.html'
+ - '/loginexclude.html'
+ - '/loginlock.html'
+ condition: (path_traversal or config_file_inj) and noauth_list
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml
index 410ad1e43..2b0ae93f3 100644
--- a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml
+++ b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml
@@ -1,12 +1,17 @@
title: Oracle WebLogic Exploit CVE-2021-2109
id: 687f6504-7f44-4549-91fc-f07bab065821
-status: experimental
-description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
-author: Bhabesh Raj
-date: 2021/01/20
+status: test
+description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
references:
- https://twitter.com/pyn3rd/status/1351696768065409026
- https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
+author: Bhabesh Raj
+date: 2021/01/20
+modified: 2022/10/09
+tags:
+ - attack.t1190
+ - attack.initial_access
+ - cve.2021.2109
logsource:
category: webserver
detection:
@@ -17,13 +22,9 @@ detection:
- 'ldap://'
- 'AdminServer'
condition: selection
-fields:
- - c-ip
- - c-dns
falsepositives:
- Unknown
level: critical
-tags:
- - attack.t1190
- - attack.initial_access
- - cve.2021.2109
\ No newline at end of file
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml b/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml
index 30d7e2378..6e9191c74 100644
--- a/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml
+++ b/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml
@@ -1,14 +1,17 @@
-title: CVE-2021-21972 VSphere Exploitation
+title: CVE-2021-21972 VSphere Exploitation
id: 179ed852-0f9b-4009-93a7-68475910fd86
-status: experimental
+status: test
description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
-author: Bhabesh Raj
-date: 2021/02/24
-modified: 2021/08/09
references:
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- https://f5.pm/go-59627.html
- https://swarm.ptsecurity.com/unauth-rce-vmware
+author: Bhabesh Raj
+date: 2021/02/24
+modified: 2022/10/09
+tags:
+ - attack.initial_access
+ - attack.t1190
logsource:
category: webserver
detection:
@@ -16,12 +19,9 @@ detection:
cs-method: 'POST'
c-uri: '/ui/vropspluginui/rest/services/uploadova'
condition: selection
-fields:
- - c-ip
- - c-dns
falsepositives:
- OVA uploads to your VSphere appliance
level: high
-tags:
- - attack.initial_access
- - attack.t1190
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_cve_2021_22005_vmware_file_upload.yml b/rules/web/web_cve_2021_22005_vmware_file_upload.yml
index 08bfa355a..aa28e6f4a 100644
--- a/rules/web/web_cve_2021_22005_vmware_file_upload.yml
+++ b/rules/web/web_cve_2021_22005_vmware_file_upload.yml
@@ -1,12 +1,13 @@
title: VMware vCenter Server File Upload CVE-2021-22005
id: b014ea07-8ea0-4859-b517-50a4e5b7ecec
-status: experimental
+status: test
description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
-author: Sittikorn S
-date: 2021/09/24
references:
- https://kb.vmware.com/s/article/85717
- https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server
+author: Sittikorn S
+date: 2021/09/24
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1190
diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml
index b54b1917e..e31b73267 100644
--- a/rules/web/web_cve_2021_26814_wzuh_rce.yml
+++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml
@@ -1,25 +1,26 @@
title: Exploitation of CVE-2021-26814 in Wazuh
id: b9888738-29ed-4c54-96a4-f38c57b84bb3
-status: experimental
+status: test
description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
-author: Florian Roth
-date: 2021/05/22
references:
- https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
+author: Florian Roth
+date: 2021/05/22
+modified: 2022/10/09
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - cve.2021.21978
+ - cve.2021.26814
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/manager/files?path=etc/lists/../../../../..'
condition: selection
-fields:
- - c-ip
- - c-dns
falsepositives:
- Unknown
level: high
-tags:
- - attack.initial_access
- - attack.t1190
- - cve.2021.21978
- - cve.2021.26814
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml
index c31fb2d0a..02853d426 100644
--- a/rules/web/web_cve_2021_26858_iis_rce.yml
+++ b/rules/web/web_cve_2021_26858_iis_rce.yml
@@ -1,11 +1,12 @@
title: ProxyLogon Reset Virtual Directories Based On IIS Log
id: effee1f6-a932-4297-a81f-acb44064fa3a
-status: experimental
+status: test
description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
references:
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: frack113
date: 2021/08/10
+modified: 2022/10/09
logsource:
product: windows
category: webserver
@@ -21,7 +22,7 @@ detection:
cs-username|endswith: '$'
keywords:
- 'POST'
- - '200'
+ - 200
- '/ecp/DDI/DDIService.svc/SetObject'
- 'schema=Reset'
- 'VirtualDirectory'
diff --git a/rules/web/web_cve_2021_28480_exchange_exploit.yml b/rules/web/web_cve_2021_28480_exchange_exploit.yml
index b3b3f21bf..073edd5e7 100644
--- a/rules/web/web_cve_2021_28480_exchange_exploit.yml
+++ b/rules/web/web_cve_2021_28480_exchange_exploit.yml
@@ -1,23 +1,24 @@
title: Exchange Exploitation CVE-2021-28480
id: a2a9d722-0acb-4096-bccc-daaf91a5037b
-status: experimental
+status: test
description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
references:
- - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
+ - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
author: Florian Roth
date: 2021/05/14
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1190
logsource:
- category: webserver
+ category: webserver
detection:
- selection:
- c-uri|contains: '/owa/calendar/a'
- cs-method: 'POST'
- filter:
- sc-status: 503
- condition: selection and not filter
+ selection:
+ c-uri|contains: '/owa/calendar/a'
+ cs-method: 'POST'
+ filter:
+ sc-status: 503
+ condition: selection and not filter
falsepositives:
- - Unknown
-level: critical
\ No newline at end of file
+ - Unknown
+level: critical
diff --git a/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml b/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml
index ad016091d..965910353 100644
--- a/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml
+++ b/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml
@@ -1,11 +1,12 @@
title: CVE-2021-33766 Exchange ProxyToken Exploitation
id: 56973b50-3382-4b56-bdf5-f51a3183797a
-status: experimental
-description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
-author: Florian Roth, Max Altgelt, Christian Burkard
-date: 2021/08/30
+status: test
+description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
references:
- https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
+author: Florian Roth, Max Altgelt, Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1190
@@ -19,14 +20,14 @@ detection:
- '/RulesEditor/InboxRules.svc/NewObject'
sc-status: 500
selection2:
- c-uri|contains|all:
+ c-uri|contains|all:
- 'SecurityToken='
- '/ecp/'
sc-status: 500
condition: selection1 or selection2
-fields:
- - c-ip
- - c-dns
falsepositives:
- Unknown
level: critical
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_cve_2021_40539_adselfservice.yml b/rules/web/web_cve_2021_40539_adselfservice.yml
index b64699587..0ee98a83c 100644
--- a/rules/web/web_cve_2021_40539_adselfservice.yml
+++ b/rules/web/web_cve_2021_40539_adselfservice.yml
@@ -1,11 +1,12 @@
title: ADSelfService Exploitation
id: 6702b13c-e421-44cc-ab33-42cc25570f11
-status: experimental
+status: test
description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
-author: Tobias Michalski, Max Altgelt
references:
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
+author: Tobias Michalski, Max Altgelt
date: 2021/09/20
+modified: 2022/10/09
logsource:
category: webserver
detection:
diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
index 6666cbf0d..d3a32139b 100644
--- a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
+++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
@@ -1,6 +1,6 @@
title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
id: fcbb4a77-f368-4945-b046-4499a1da69d1
-status: experimental
+status: test
description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
references:
- https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
@@ -8,7 +8,7 @@ references:
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
author: Sittikorn S, Nuttakorn Tungpoonsup
date: 2021/09/10
-modified: 2021/09/17
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1190
@@ -24,9 +24,9 @@ detection:
- '/RestAPI/LogonCustomization'
- '/RestAPI/Connection'
condition: selection
-fields:
- - c-ip
- - c-uri
falsepositives:
- Unknown
level: critical
+fields:
+ - c-ip
+ - c-uri
diff --git a/rules/web/web_cve_2022_27925_exploit.yml b/rules/web/web_cve_2022_27925_exploit.yml
index 852b03bfc..a849075d6 100644
--- a/rules/web/web_cve_2022_27925_exploit.yml
+++ b/rules/web/web_cve_2022_27925_exploit.yml
@@ -24,8 +24,8 @@ detection:
- 'no-switch'
- 'append'
sc-status:
- - '401'
- - '200'
+ - 401
+ - 200
selection_shell:
cs-uri|contains: '/zimbraAdmin/'
cs-uri|endswith: '.jsp'
diff --git a/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml b/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml
new file mode 100644
index 000000000..7116166d0
--- /dev/null
+++ b/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml
@@ -0,0 +1,27 @@
+title: Atlassian Bitbucket Command Injection Via Archive API
+id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
+status: experimental
+description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
+author: Nasreddine Bencherchali
+date: 2022/09/29
+references:
+ - https://twitter.com/_0xf4n9x_/status/1572052954538192901
+ - https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/
+ - https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html
+ - https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - cve.2022.36804
+logsource:
+ category: webserver
+detection:
+ selection:
+ c-uri|contains|all:
+ - '/rest/api/latest/projects/'
+ - 'prefix='
+ - '%00--exec'
+ condition: selection
+falsepositives:
+ - Web vulnerability scanners
+level: high
diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml
index d9bdd9bd7..dbc49417a 100644
--- a/rules/web/web_exchange_exploitation_hafnium.yml
+++ b/rules/web/web_exchange_exploitation_hafnium.yml
@@ -1,62 +1,63 @@
title: Exchange Exploitation Used by HAFNIUM
id: 67bce556-312f-4c81-9162-c3c9ff2599b2
-status: experimental
-description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
+status: test
+description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
references:
- - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+ - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
+ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Florian Roth
date: 2021/03/03
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1190
logsource:
- category: webserver
+ category: webserver
detection:
- selection1:
- cs-method: 'POST'
- c-uri|contains: '/owa/auth/Current/themes/resources/'
- selection2:
- cs-method: 'POST'
- c-uri|contains: '/owa/auth/Current/'
- c-useragent:
- - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'
- - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'
- - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
- - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'
- - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'
- - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'
- - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'
- - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'
- - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'
- selection3:
- c-uri|contains: '/ecp/'
- cs-method: 'POST'
- c-useragent:
- - 'ExchangeServicesClient/0.0.0.0'
- - 'python-requests/2.19.1'
- - 'python-requests/2.25.1'
- selection4:
- c-uri|contains:
- - '/aspnet_client/'
- - '/owa/'
- cs-method: 'POST'
- c-useragent:
- - 'antSword/v2.1'
- - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
- - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
- selection5:
- c-uri|contains:
- - '/owa/auth/Current/'
- - '/ecp/default.flt'
- - '/ecp/main.css'
- cs-method: 'POST'
- selection6:
- cs-method: 'POST'
- c-uri|contains|all:
- - '/ecp/'
- - '.js'
- condition: 1 of selection*
+ selection1:
+ cs-method: 'POST'
+ c-uri|contains: '/owa/auth/Current/themes/resources/'
+ selection2:
+ cs-method: 'POST'
+ c-uri|contains: '/owa/auth/Current/'
+ c-useragent:
+ - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'
+ - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'
+ - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
+ - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'
+ - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'
+ - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'
+ - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'
+ - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'
+ - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'
+ selection3:
+ c-uri|contains: '/ecp/'
+ cs-method: 'POST'
+ c-useragent:
+ - 'ExchangeServicesClient/0.0.0.0'
+ - 'python-requests/2.19.1'
+ - 'python-requests/2.25.1'
+ selection4:
+ c-uri|contains:
+ - '/aspnet_client/'
+ - '/owa/'
+ cs-method: 'POST'
+ c-useragent:
+ - 'antSword/v2.1'
+ - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
+ - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
+ selection5:
+ c-uri|contains:
+ - '/owa/auth/Current/'
+ - '/ecp/default.flt'
+ - '/ecp/main.css'
+ cs-method: 'POST'
+ selection6:
+ cs-method: 'POST'
+ c-uri|contains|all:
+ - '/ecp/'
+ - '.js'
+ condition: 1 of selection*
falsepositives:
- - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
-level: high
\ No newline at end of file
+ - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
+level: high
diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml
index 97c00b76a..445b6e0b2 100644
--- a/rules/web/web_exchange_proxyshell.yml
+++ b/rules/web/web_exchange_proxyshell.yml
@@ -8,23 +8,25 @@ references:
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
author: Florian Roth, Rich Warren
date: 2021/08/07
-modified: 2021/08/08
+modified: 2022/10/06
tags:
- attack.initial_access
+ - attack.t1190
logsource:
category: webserver
detection:
- selection_auto:
+ selection_1:
+ sc-status: 401
+ selection_1_auto:
c-uri|contains: '/autodiscover.json'
- selection_uri:
+ selection_1_uri:
c-uri|contains:
- '/powershell'
- '/mapi/nspi'
- '/EWS'
- 'X-Rps-CAT'
- selection:
- sc-status: 401
selection_poc:
+ sc-status: 401
c-uri|contains:
# since we don't know how it will appear in the log files, we'll just use all versions
- 'autodiscover.json?@'
@@ -32,7 +34,7 @@ detection:
- '%3f@foo.com'
- 'Email=autodiscover/autodiscover.json'
- 'json?@foo.com'
- condition: selection_auto and selection_uri or selection_poc
+ condition: all of selection_1* or selection_poc
falsepositives:
- Unknown
-level: medium
\ No newline at end of file
+level: high
diff --git a/rules/web/web_exchange_proxyshell_successful.yml b/rules/web/web_exchange_proxyshell_successful.yml
index a4dd76a07..ac499cbe3 100644
--- a/rules/web/web_exchange_proxyshell_successful.yml
+++ b/rules/web/web_exchange_proxyshell_successful.yml
@@ -1,6 +1,6 @@
title: Successful Exchange ProxyShell Attack
id: 992be1eb-e5da-437e-9a54-6d13b57bb4d8
-status: experimental
+status: test
description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
references:
- https://youtu.be/5mqid-7zp8k?t=2231
@@ -8,6 +8,7 @@ references:
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
author: Florian Roth, Rich Warren
date: 2021/08/09
+modified: 2022/10/09
tags:
- attack.initial_access
logsource:
@@ -22,10 +23,10 @@ detection:
- '/EWS'
- 'X-Rps-CAT'
selection_success:
- sc-status:
+ sc-status:
- 200
- 301
condition: selection_auto and selection_uri and selection_success
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml
index fc60d7a18..b11a6f505 100644
--- a/rules/web/web_iis_tilt_shortname_scan.yml
+++ b/rules/web/web_iis_tilt_shortname_scan.yml
@@ -1,13 +1,14 @@
title: Successful IIS Shortname Fuzzing Scan
id: 7cb02516-6d95-4ffc-8eee-162075e111ac
-status: experimental
-author: frack113
+status: test
description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
references:
- https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml
- https://www.exploit-db.com/exploits/19525
- https://github.com/lijiejie/IIS_shortname_Scanner
+author: frack113
date: 2021/10/06
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1190
diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml
index 58df5c969..5e28f1cc6 100644
--- a/rules/web/web_nginx_core_dump.yml
+++ b/rules/web/web_nginx_core_dump.yml
@@ -1,12 +1,16 @@
title: Nginx Core Dump
id: 59ec40bb-322e-40ab-808d-84fa690d7e56
+status: test
description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
-status: experimental
-author: Florian Roth
-date: 2021/05/31
references:
- https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
- https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
+author: Florian Roth
+date: 2021/05/31
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1499.004
logsource:
service: apache
detection:
@@ -16,6 +20,3 @@ detection:
falsepositives:
- Serious issues with a configuration or plugin
level: high
-tags:
- - attack.impact
- - attack.t1499.004
diff --git a/rules/web/web_path_traversal_exploitation_attempt.yml b/rules/web/web_path_traversal_exploitation_attempt.yml
index 5eeeed755..d47dfba7c 100644
--- a/rules/web/web_path_traversal_exploitation_attempt.yml
+++ b/rules/web/web_path_traversal_exploitation_attempt.yml
@@ -1,24 +1,25 @@
title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
-author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation)
-date: 2021/09/25
-status: experimental
+status: test
description: Detects path traversal exploitation attempts
references:
- - https://github.com/projectdiscovery/nuclei-templates
-logsource:
- category: webserver
-detection:
- selection:
- c-uri|contains:
- - '../../../../../etc/passwd'
- - '../../../../windows/'
- - '../../../../../lib/password'
- condition: selection
-falsepositives:
- - Happens all the time on systems exposed to the Internet
- - Internal vulnerability scanners
+ - https://github.com/projectdiscovery/nuclei-templates
+author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation)
+date: 2021/09/25
+modified: 2022/10/09
tags:
- - attack.initial_access
- - attack.t1190
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ category: webserver
+detection:
+ selection:
+ c-uri|contains:
+ - '../../../../../etc/passwd'
+ - '../../../../windows/'
+ - '../../../../../lib/password'
+ condition: selection
+falsepositives:
+ - Happens all the time on systems exposed to the Internet
+ - Internal vulnerability scanners
level: medium
diff --git a/rules/web/web_solarwinds_supernova_webshell.yml b/rules/web/web_solarwinds_supernova_webshell.yml
index ec43bcd23..db02465ba 100644
--- a/rules/web/web_solarwinds_supernova_webshell.yml
+++ b/rules/web/web_solarwinds_supernova_webshell.yml
@@ -1,13 +1,13 @@
title: Solarwinds SUPERNOVA Webshell Access
id: a2cee20b-eacc-459f-861d-c02e5d12f1db
-status: experimental
+status: test
description: Detects access to SUPERNOVA webshell as described in Guidepoint report
-author: Florian Roth
-date: 2020/12/17
-modified: 2021/08/09
references:
- https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
- https://www.anquanke.com/post/id/226029
+author: Florian Roth
+date: 2020/12/17
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1505.003
@@ -22,9 +22,9 @@ detection:
c-uri|contains: 'logoimagehandler.ashx'
sc-status: 500
condition: selection1 or selection2
+falsepositives:
+ - Unknown
+level: critical
fields:
- client_ip
- response
-falsepositives:
- - Unknown
-level: critical
\ No newline at end of file
diff --git a/rules/web/web_sonicwall_jarrewrite_exploit.yml b/rules/web/web_sonicwall_jarrewrite_exploit.yml
index b96b9bd73..7b5fef49d 100644
--- a/rules/web/web_sonicwall_jarrewrite_exploit.yml
+++ b/rules/web/web_sonicwall_jarrewrite_exploit.yml
@@ -1,27 +1,28 @@
title: SonicWall SSL/VPN Jarrewrite Exploit
id: 6f55f047-112b-4101-ad32-43913f52db46
-status: experimental
+status: test
description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
+references:
+ - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
author: Florian Roth
date: 2021/01/25
+modified: 2022/10/09
tags:
- attack.t1190
- attack.initial_access
-references:
- - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/cgi-bin/jarrewrite.sh'
- c-useragent|contains:
+ c-useragent|contains:
- ':;'
- '() {'
- '/bin/bash -c'
condition: selection
-fields:
- - c-ip
- - c-dns
falsepositives:
- Unknown
level: high
+fields:
+ - c-ip
+ - c-dns
diff --git a/rules/web/web_source_code_enumeration.yml b/rules/web/web_source_code_enumeration.yml
index 51e3015bd..dcce07dd3 100644
--- a/rules/web/web_source_code_enumeration.yml
+++ b/rules/web/web_source_code_enumeration.yml
@@ -4,24 +4,24 @@ status: test
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
author: James Ahearn
references:
- - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
- - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
+ - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
+ - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
date: 2019/06/08
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- category: webserver
+ category: webserver
detection:
- keywords:
- - '*.git/*'
- condition: keywords
+ keywords:
+ - '.git/'
+ condition: keywords
fields:
- - client_ip
- - vhost
- - url
- - response
+ - client_ip
+ - vhost
+ - url
+ - response
falsepositives:
- - Unknown
+ - Unknown
level: medium
tags:
- - attack.discovery
- - attack.t1083
+ - attack.discovery
+ - attack.t1083
diff --git a/rules/web/web_unc2546_dewmode_php_webshell.yml b/rules/web/web_unc2546_dewmode_php_webshell.yml
index 3904369b9..ca17eb2f8 100644
--- a/rules/web/web_unc2546_dewmode_php_webshell.yml
+++ b/rules/web/web_unc2546_dewmode_php_webshell.yml
@@ -1,11 +1,12 @@
title: DEWMODE Webshell Access
id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5
-status: experimental
+status: test
description: Detects access to DEWMODE webshell as described in FIREEYE report
-author: Florian Roth
-date: 2021/02/22
references:
- https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
+author: Florian Roth
+date: 2021/02/22
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1505.003
@@ -23,9 +24,9 @@ detection:
- '?fn='
- '.html?'
condition: 1 of selection*
+falsepositives:
+ - Unknown
+level: high
fields:
- client_ip
- response
-falsepositives:
- - Unknown
-level: high
\ No newline at end of file
diff --git a/rules/windows/builtin/dns_server/win_apt_gallium.yml b/rules/windows/builtin/dns_server/win_apt_gallium.yml
index cc1c0ca84..38bd7f8cd 100644
--- a/rules/windows/builtin/dns_server/win_apt_gallium.yml
+++ b/rules/windows/builtin/dns_server/win_apt_gallium.yml
@@ -3,14 +3,14 @@ id: 3db10f25-2527-4b79-8d4b-471eb900ee29
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
-status: experimental
+status: test
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
-author: Tim Burrell
-date: 2020/02/07
-modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+author: Tim Burrell
+date: 2020/02/07
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.command_and_control
@@ -21,7 +21,7 @@ logsource:
detection:
selection:
EventID: 257
- QNAME:
+ QNAME:
- 'asyspy256.ddns.net'
- 'hotkillmail9sddcc.ddns.net'
- 'rosaf112.ddns.net'
@@ -32,4 +32,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml
index cff301370..b7ff1f8b5 100644
--- a/rules/windows/builtin/ldap/win_ldap_recon.yml
+++ b/rules/windows/builtin/ldap/win_ldap_recon.yml
@@ -1,13 +1,19 @@
title: LDAP Reconnaissance / Active Directory Enumeration
id: 31d68132-4038-47c7-8f8e-635a39a7c174
-status: experimental
+status: test
description: Detects possible Active Directory enumeration via LDAP
-author: Adeem Mawani
-date: 2021/06/22
references:
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
+author: Adeem Mawani
+date: 2021/06/22
+modified: 2022/10/09
+tags:
+ - attack.discovery
+ - attack.t1069.002
+ - attack.t1087.002
+ - attack.t1482
logsource:
product: windows
service: ldap_debug
@@ -69,8 +75,3 @@ detection:
- '(objectSid=*)'
condition: (generic_search and not narrow_down_filter) or suspicious_flag
level: medium
-tags:
- - attack.discovery
- - attack.t1069.002
- - attack.t1087.002
- - attack.t1482
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
index 138d45dcd..dc80a5d10 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
@@ -1,11 +1,15 @@
title: ProxyLogon MSExchange OabVirtualDirectory
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
-status: experimental
+status: test
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
references:
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: Florian Roth
date: 2021/08/09
+modified: 2022/10/09
+tags:
+ - attack.t1587.001
+ - attack.resource_development
logsource:
product: windows
service: msexchange-management
@@ -22,6 +26,3 @@ detection:
falsepositives:
- Unlikely
level: critical
-tags:
- - attack.t1587.001
- - attack.resource_development
\ No newline at end of file
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml
index 99a01f570..5ae421a73 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml
@@ -1,11 +1,15 @@
title: Certificate Request Export to Exchange Webserver
id: b7bc7038-638b-4ffd-880c-292c692209ef
-status: experimental
+status: test
description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
references:
- https://twitter.com/GossiTheDog/status/1429175908905127938
author: Max Altgelt
date: 2021/08/23
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1505.003
logsource:
service: msexchange-management
product: windows
@@ -24,6 +28,3 @@ detection:
falsepositives:
- Unlikely
level: critical
-tags:
- - attack.persistence
- - attack.t1505.003
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
index 94d65c157..e20a59983 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
@@ -1,11 +1,15 @@
title: Remove Exported Mailbox from Exchange Webserver
id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
-status: experimental
+status: test
description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
author: Christian Burkard
date: 2021/08/27
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1070
logsource:
service: msexchange-management
product: windows
@@ -18,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1070
diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml
index 6eca37cc7..1d33ee22c 100644
--- a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml
@@ -3,16 +3,16 @@ id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
related:
- id: 83809e84-4475-4b69-bc3e-4aad8568612f
type: derived
-status: experimental
+status: test
description: Detects the Installation of a Exchange Transport Agent
references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-tags:
- - attack.persistence
- - attack.t1505.002
-author: Tobias Michalski
+author: Tobias Michalski
date: 2021/06/08
-modified: 2021/09/19
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1505.002
logsource:
product: windows
service: msexchange-management
@@ -20,8 +20,8 @@ detection:
selection:
- 'Install-TransportAgent'
condition: selection
-fields:
- - AssemblyPath
falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
-level: medium
\ No newline at end of file
+level: medium
+fields:
+ - AssemblyPath
diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml
index f6eb146e2..bb7b90e7f 100644
--- a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml
+++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml
@@ -7,7 +7,7 @@ references:
- https://goo.gl/PsqrhT
author: Florian Roth
date: 2018/06/08
-modified: 2021/11/20
+modified: 2022/10/05
tags:
- attack.lateral_movement
- attack.t1550.002
@@ -18,7 +18,7 @@ logsource:
detection:
selection:
EventID: 8002
- ProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
+ ProcessName|contains: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
condition: selection
falsepositives:
- Legacy hosts
diff --git a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
index 5564f0358..b9f777dab 100644
--- a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
+++ b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -1,11 +1,12 @@
title: CVE-2021-1675 Print Spooler Exploitation
id: f34d942d-c8c4-4f1f-b196-22471aecf10a
+status: test
description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
-author: Florian Roth
-status: experimental
references:
- https://twitter.com/MalwareJake/status/1410421967463731200
+author: Florian Roth
date: 2021/07/01
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1569
@@ -15,15 +16,15 @@ logsource:
service: printservice-operational
detection:
selection:
- EventID: '316'
- keywords:
+ EventID: 316
+ keywords:
- 'UNIDRV.DLL, kernelbase.dll, '
- ' 123 '
- ' 1234 '
- 'mimispool'
condition: selection and keywords
-fields:
- - DriverAdded
falsepositives:
- Unknown
level: critical
+fields:
+ - DriverAdded
diff --git a/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml
index 2474b134f..87c0b6e68 100644
--- a/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml
+++ b/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml
@@ -1,17 +1,18 @@
title: Azure AD Health Monitoring Agent Registry Keys Access
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
-status: experimental
-date: 2021/08/26
+references:
+ - https://o365blog.com/post/hybridhealthagent/
+ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1012
-references:
- - https://o365blog.com/post/hybridhealthagent/
- - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml
index 2fbff184b..9ab2a239c 100644
--- a/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml
+++ b/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml
@@ -1,19 +1,20 @@
title: Azure AD Health Service Agents Registry Keys Access
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
+status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
-status: experimental
-date: 2021/08/26
+references:
+ - https://o365blog.com/post/hybridhealthagent/
+ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1012
-references:
- - https://o365blog.com/post/hybridhealthagent/
- - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/security/win_ad_user_enumeration.yml b/rules/windows/builtin/security/win_ad_user_enumeration.yml
index 37a865e95..9b023f5fb 100644
--- a/rules/windows/builtin/security/win_ad_user_enumeration.yml
+++ b/rules/windows/builtin/security/win_ad_user_enumeration.yml
@@ -1,14 +1,14 @@
title: AD User Enumeration
id: ab6bffca-beff-4baa-af11-6733f296d57a
+status: test
description: Detects access to a domain user from a non-machine account
-status: experimental
-date: 2020/03/30
-modified: 2021/08/09
-author: Maxime Thiebaut (@0xThiebaut)
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/30
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1087.002
@@ -19,7 +19,7 @@ logsource:
detection:
selection:
EventID: 4662
- ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
+ ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
# Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
# The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user)
filter:
diff --git a/rules/windows/builtin/security/win_admin_rdp_login.yml b/rules/windows/builtin/security/win_admin_rdp_login.yml
index a2186be2b..64fdb30e2 100644
--- a/rules/windows/builtin/security/win_admin_rdp_login.yml
+++ b/rules/windows/builtin/security/win_admin_rdp_login.yml
@@ -1,18 +1,18 @@
title: Admin User Remote Logon
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
+status: test
description: Detect remote login by Administrator user (depending on internal pattern).
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
+author: juju4
+date: 2017/10/29
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005
-status: experimental
-author: juju4
-date: 2017/10/29
-modified: 2021/07/07
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/security/win_alert_ruler.yml b/rules/windows/builtin/security/win_alert_ruler.yml
index 6b685d263..dd7f9f085 100644
--- a/rules/windows/builtin/security/win_alert_ruler.yml
+++ b/rules/windows/builtin/security/win_alert_ruler.yml
@@ -1,16 +1,16 @@
title: Hacktool Ruler
id: 24549159-ac1b-479c-8175-d42aea947cae
+status: test
description: This events that are generated when using the hacktool Ruler by Sensepost
-status: experimental
-author: Florian Roth
-date: 2017/05/31
-modified: 2021/08/09
references:
- https://github.com/sensepost/ruler
- https://github.com/sensepost/ruler/issues/47
- https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
+author: Florian Roth
+date: 2017/05/31
+modified: 2022/10/09
tags:
- attack.discovery
- attack.execution
diff --git a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml
index 5843d6bf9..591ea6d7a 100644
--- a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml
+++ b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml
@@ -3,10 +3,13 @@ id: c0580559-a6bd-4ef6-b9b7-83703d98b561
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
+status: test
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
-status: experimental
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+modified: 2022/10/09
tags:
- attack.persistence
- attack.g0049
@@ -17,9 +20,6 @@ tags:
- attack.t1112
- attack.command_and_control
- attack.t1071.004
-date: 2018/03/23
-modified: 2021/09/19
-author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
logsource:
product: windows
service: security
@@ -32,4 +32,4 @@ detection:
condition: selection_service
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/security/win_apt_slingshot.yml b/rules/windows/builtin/security/win_apt_slingshot.yml
index 4345b4aa2..ca7f44d23 100644
--- a/rules/windows/builtin/security/win_apt_slingshot.yml
+++ b/rules/windows/builtin/security/win_apt_slingshot.yml
@@ -3,13 +3,13 @@ id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
related:
- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
type: derived
+status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
-status: experimental
-author: Florian Roth, Bartlomiej Czyz (@bczyz1)
-date: 2019/03/04
-modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1053
@@ -25,4 +25,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/builtin/security/win_apt_wocao.yml b/rules/windows/builtin/security/win_apt_wocao.yml
index 8dcb9b26c..e52b075aa 100644
--- a/rules/windows/builtin/security/win_apt_wocao.yml
+++ b/rules/windows/builtin/security/win_apt_wocao.yml
@@ -1,13 +1,15 @@
title: Operation Wocao Activity
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
-author: Florian Roth, frack113
-status: experimental
+status: test
description: Detects activity mentioned in Operation Wocao report
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
+author: Florian Roth, frack113
+date: 2019/12/20
+modified: 2022/10/09
tags:
- - attack.discovery
+ - attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1036.004
@@ -15,8 +17,6 @@ tags:
- attack.execution
- attack.t1053.005
- attack.t1059.001
-date: 2019/12/20
-modified: 2021/09/19
logsource:
product: windows
service: security
@@ -28,4 +28,4 @@ detection:
condition: selection
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/builtin/security/win_etw_modification.yml b/rules/windows/builtin/security/win_etw_modification.yml
index efb89f471..d3cc02a88 100644
--- a/rules/windows/builtin/security/win_etw_modification.yml
+++ b/rules/windows/builtin/security/win_etw_modification.yml
@@ -4,30 +4,30 @@ status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- - https://twitter.com/_xpn_/status/1268712093928378368
- - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- - https://bunnyinside.com/?term=f71e8cb9c76a
- - http://managed670.rssing.com/chan-5590147/all_p1.html
- - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+ - https://twitter.com/_xpn_/status/1268712093928378368
+ - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+ - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+ - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+ - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+ - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+ - https://bunnyinside.com/?term=f71e8cb9c76a
+ - http://managed670.rssing.com/chan-5590147/all_p1.html
+ - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
date: 2020/06/05
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- product: windows
- service: security
+ product: windows
+ service: security
detection:
- selection:
- EventID: 4657
- ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
- ObjectValueName: 'ETWEnabled'
- NewValue: '0'
- condition: selection
+ selection:
+ EventID: 4657
+ ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
+ ObjectValueName: 'ETWEnabled'
+ NewValue: 0
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: high
tags:
- - attack.defense_evasion
- - attack.t1112
+ - attack.defense_evasion
+ - attack.t1112
diff --git a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
index e8450ec43..71da4bbad 100644
--- a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
+++ b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
@@ -7,6 +7,7 @@ level: critical
references:
- https://twitter.com/INIT_3/status/1410662463641731075
date: 2021/07/02
+modified: 2022/10/05
tags:
- attack.execution
- attack.t1569
@@ -17,7 +18,7 @@ logsource:
service: security
detection:
selection:
- EventID: '5145'
+ EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: 'spoolss'
AccessMask: '0x3'
diff --git a/rules/windows/builtin/security/win_external_device.yml b/rules/windows/builtin/security/win_external_device.yml
index 9a64bb7af..fe85965dd 100644
--- a/rules/windows/builtin/security/win_external_device.yml
+++ b/rules/windows/builtin/security/win_external_device.yml
@@ -1,10 +1,10 @@
title: External Disk Drive Or USB Storage Device
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
+status: test
description: Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later
-status: experimental
author: Keith Wright
date: 2019/11/20
-modified: 2021/08/09
+modified: 2022/10/09
tags:
- attack.t1091
- attack.t1200
@@ -16,10 +16,10 @@ logsource:
detection:
selection:
EventID: 6416
- ClassName: 'DiskDrive'
+ ClassName: 'DiskDrive'
selection2:
DeviceDescription: 'USB Mass Storage Device'
condition: selection or selection2
-falsepositives:
+falsepositives:
- Legitimate administrative activity
level: low
diff --git a/rules/windows/builtin/security/win_hidden_user_creation.yml b/rules/windows/builtin/security/win_hidden_user_creation.yml
index f85515fad..5317da307 100644
--- a/rules/windows/builtin/security/win_hidden_user_creation.yml
+++ b/rules/windows/builtin/security/win_hidden_user_creation.yml
@@ -1,14 +1,15 @@
title: Hidden Local User Creation
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+status: test
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
-status: experimental
+references:
+ - https://twitter.com/SBousseaden/status/1387743867663958021
+author: Christian Burkard
+date: 2021/05/03
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1136.001
-references:
- - https://twitter.com/SBousseaden/status/1387743867663958021
-author: Christian Burkard
-date: 2021/05/03
logsource:
product: windows
service: security
@@ -17,9 +18,9 @@ detection:
EventID: 4720
TargetUserName|endswith: '$'
condition: selection
-fields:
- - EventCode
- - AccountName
falsepositives:
- Unknown
level: high
+fields:
+ - EventCode
+ - AccountName
diff --git a/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml
index 7b2b0166d..eb95ff0a5 100644
--- a/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml
+++ b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml
@@ -1,15 +1,15 @@
title: HybridConnectionManager Service Installation
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
+status: test
description: Rule to detect the Hybrid Connection Manager service installation.
-status: experimental
-date: 2021/04/12
-modified: 2021/08/09
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.persistence
- - attack.t1554
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1554
logsource:
product: windows
service: security
@@ -17,7 +17,7 @@ detection:
selection:
EventID: 4697
ServiceName: HybridConnectionManager
- ServiceFileName|contains: HybridConnectionManager
+ ServiceFileName|contains: HybridConnectionManager
condition: selection
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml
index 2515ea970..e6fedf46f 100644
--- a/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml
+++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml
@@ -3,13 +3,13 @@ id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
type: derived
+status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
-status: experimental
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/13
-modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/builtin/security/win_iso_mount.yml b/rules/windows/builtin/security/win_iso_mount.yml
index 1e9b3836f..a0643396a 100644
--- a/rules/windows/builtin/security/win_iso_mount.yml
+++ b/rules/windows/builtin/security/win_iso_mount.yml
@@ -3,9 +3,9 @@ id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
description: Detects the mount of ISO images on an endpoint
status: experimental
date: 2021/05/29
-modified: 2021/11/20
+modified: 2022/10/05
author: Syed Hasan (@syedhasan009)
-references:
+references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
@@ -17,11 +17,11 @@ logsource:
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
detection:
- selection:
+ selection:
EventID: 4663
ObjectServer: 'Security'
ObjectType: 'File'
- ObjectName: '\Device\CdRom*'
+ ObjectName|startswith: '\Device\CdRom'
filter:
ObjectName: '\Device\CdRom0\setup.exe'
condition: selection and not filter
diff --git a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml
index 3fe554d24..647d50fd1 100644
--- a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml
+++ b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml
@@ -1,12 +1,13 @@
title: Correct Execution of Nltest.exe
id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
-status: experimental
-author: Arun Chauhan
-date: 2021/10/04
+status: test
description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
- https://attack.mitre.org/software/S0359/
+author: Arun Chauhan
+date: 2021/10/04
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts
@@ -21,10 +22,10 @@ detection:
ProcessName|endswith: 'nltest.exe'
Status: '0x0'
condition: selection
-fields:
- - 'SubjectUserName'
- - 'SubjectDomainName'
falsepositives:
- Red team activity
- Rare legitimate use by an administrator
level: high
+fields:
+ - 'SubjectUserName'
+ - 'SubjectDomainName'
diff --git a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml
index 6469e1daa..339fc0315 100644
--- a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml
+++ b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml
@@ -32,15 +32,15 @@ detection:
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- - '40'
- - '1400'
- - '1000'
- - '100000'
- - '1410' # car.2019-04-004
- - '1010' # car.2019-04-004
- - '1438' # car.2019-04-004
+ - 40
+ - 1400
+ - 1000
+ - 100000
+ - 1410 # car.2019-04-004
+ - 1010 # car.2019-04-004
+ - 1438 # car.2019-04-004
- '143a' # car.2019-04-004
- - '1418' # car.2019-04-004
+ - 1418 # car.2019-04-004
- '1f0fff'
- '1f1fff'
- '1f2fff'
diff --git a/rules/windows/builtin/security/win_metasploit_authentication.yml b/rules/windows/builtin/security/win_metasploit_authentication.yml
index e3158f137..c0fed31e8 100644
--- a/rules/windows/builtin/security/win_metasploit_authentication.yml
+++ b/rules/windows/builtin/security/win_metasploit_authentication.yml
@@ -1,12 +1,12 @@
title: Metasploit SMB Authentication
-description: Alerts on Metasploit host's authentications on the domain.
-status: experimental
id: 72124974-a68b-4366-b990-d30e0b2a190d
-author: Chakib Gzenayi (@Chak092), Hosni Mribah
-date: 2020/05/06
-modified: 2021/07/07
+status: test
+description: Alerts on Metasploit host's authentications on the domain.
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/06
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.t1021.002
diff --git a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml
index 59519734f..b69e5102e 100644
--- a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml
@@ -3,13 +3,13 @@ id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
related:
- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
type: derived
+status: test
description: Detects NetNTLM downgrade attack
-status: experimental
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth, wagga
date: 2018/03/20
-modified: 2021/06/27
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -22,11 +22,11 @@ logsource:
detection:
selection:
EventID: 4657
- ObjectName|contains|all:
+ ObjectName|contains|all:
- '\REGISTRY\MACHINE\SYSTEM'
- 'ControlSet'
- '\Control\Lsa'
- ObjectValueName:
+ ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'
diff --git a/rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml
index 3a1aeaa23..69a322835 100644
--- a/rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml
+++ b/rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml
@@ -1,13 +1,13 @@
title: New or Renamed User Account with '$' in Attribute 'SamAccountName'
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
-status: experimental
+status: test
description: Detects possible bypass EDR and SIEM via abnormal user account name.
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1036
-author: Ilyas Ochkov, oscd.community
-date: 2019/10/25
-modified: 2021/07/07
logsource:
product: windows
service: security
@@ -18,10 +18,10 @@ detection:
- 4781 # rename user
SamAccountName|contains: '$'
condition: selection
+falsepositives:
+ - Unknown
+level: high
fields:
- EventID
- SamAccountName
- SubjectUserName
-falsepositives:
- - Unknown
-level: high
diff --git a/rules/windows/builtin/security/win_pass_the_hash_2.yml b/rules/windows/builtin/security/win_pass_the_hash_2.yml
index dd7e9f1fb..4a21916ba 100644
--- a/rules/windows/builtin/security/win_pass_the_hash_2.yml
+++ b/rules/windows/builtin/security/win_pass_the_hash_2.yml
@@ -8,6 +8,7 @@ references:
- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
date: 2019/06/14
+modified: 2022/10/05
tags:
- attack.lateral_movement
- attack.t1550.002
@@ -16,18 +17,19 @@ logsource:
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
detection:
- selection:
- - EventID: 4624
- SubjectUserSid: 'S-1-0-0'
- LogonType: '3'
- LogonProcessName: 'NtLmSsp'
- KeyLength: '0'
- - EventID: 4624
- LogonType: '9'
- LogonProcessName: 'seclogo'
+ selection_logon3:
+ EventID: 4624
+ SubjectUserSid: 'S-1-0-0'
+ LogonType: 3
+ LogonProcessName: 'NtLmSsp'
+ KeyLength: 0
+ selection_logon9:
+ EventID: 4624
+ LogonType: 9
+ LogonProcessName: 'seclogo'
filter:
TargetUserName: 'ANONYMOUS LOGON'
- condition: selection and not filter
+ condition: 1 of selection_* and not filter
falsepositives:
- Administrator activity
level: medium
diff --git a/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml
index 059e919a5..ccd15bdb3 100644
--- a/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml
+++ b/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml
@@ -1,16 +1,16 @@
title: PetitPotam Suspicious Kerberos TGT Request
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
- certificate by abusing Active Directory Certificate Services in combination with
- PetitPotam, the next step would be to leverage the certificate for malicious purposes.
- One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
- like Rubeus. This request will generate a 4768 event with some unusual fields depending
- on the environment. This analytic will require tuning, we recommend filtering Account_Name
- to the Domain Controller computer accounts.
+ certificate by abusing Active Directory Certificate Services in combination with
+ PetitPotam, the next step would be to leverage the certificate for malicious purposes.
+ One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
+ like Rubeus. This request will generate a 4768 event with some unusual fields depending
+ on the environment. This analytic will require tuning, we recommend filtering Account_Name
+ to the Domain Controller computer accounts.
status: experimental
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
-modified: 2021/09/07
+modified: 2022/10/05
references:
- https://github.com/topotam/PetitPotam
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
@@ -26,7 +26,7 @@ detection:
selection:
EventID: 4768
TargetUserName|endswith: '$'
- CertThumbprint: '*'
+ CertThumbprint|contains: '*'
filter_local:
IpAddress: '::1'
filter_thumbprint:
diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml
index 26c9954fd..e70a0a816 100644
--- a/rules/windows/builtin/security/win_rdp_localhost_login.yml
+++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml
@@ -1,16 +1,16 @@
title: RDP Login from Localhost
id: 51e33403-2a37-4d66-a574-1fda1782cc31
+status: test
description: RDP login with localhost source address may be a tunnelled login
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+author: Thomas Patzke
date: 2019/01/28
-modified: 2021/07/07
+modified: 2022/10/09
tags:
- attack.lateral_movement
- car.2013-07-002
- attack.t1021.001
-status: experimental
-author: Thomas Patzke
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml
index b74afc4c3..fe018796a 100644
--- a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml
+++ b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml
@@ -1,16 +1,16 @@
title: Register new Logon Process by Rubeus
id: 12e6d621-194f-4f59-90cc-1959e21e69f7
+status: test
description: Detects potential use of Rubeus via registered new trusted logon process
-status: experimental
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1558.003
-author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
-date: 2019/10/24
-modified: 2021/08/14
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/security/win_remote_powershell_session.yml b/rules/windows/builtin/security/win_remote_powershell_session.yml
index 0fd7f3726..9cf8f2305 100644
--- a/rules/windows/builtin/security/win_remote_powershell_session.yml
+++ b/rules/windows/builtin/security/win_remote_powershell_session.yml
@@ -1,12 +1,12 @@
title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
+status: test
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
-status: experimental
-date: 2019/09/12
-modified: 2021/05/21
-author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml
index fde145255..2570b4fbe 100644
--- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml
+++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml
@@ -3,19 +3,19 @@ id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
related:
- id: 5a105d34-05fc-401e-8553-272b45c1522d
type: derived
+status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
-status: experimental
-author: Florian Roth, Wojciech Lesicki
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+author: Florian Roth, Wojciech Lesicki
date: 2021/05/26
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.execution
- attack.privilege_escalation
- - attack.lateral_movement
+ - attack.lateral_movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
@@ -26,11 +26,11 @@ detection:
event_id:
EventID: 4697
selection1:
- ServiceFileName|contains|all:
+ ServiceFileName|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
- ServiceFileName|contains|all:
+ ServiceFileName|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
@@ -41,4 +41,4 @@ detection:
condition: event_id and 1 of selection*
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml
index ca29a8a52..9e3f3eaa5 100644
--- a/rules/windows/builtin/security/win_security_mal_creddumper.yml
+++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml
@@ -3,13 +3,13 @@ id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
+status: test
description: Detects well-known credential dumping tools execution via service execution events
-status: experimental
-author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-date: 2017/03/05
-modified: 2021/09/21
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.execution
@@ -37,4 +37,4 @@ detection:
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml
index e1025f86f..9ba6ab03d 100644
--- a/rules/windows/builtin/security/win_security_mal_service_installs.yml
+++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml
@@ -3,15 +3,15 @@ id: cb062102-587e-4414-8efa-dbe3c7bf19c6
related:
- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
type: derived
+status: test
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
-status: experimental
-author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
-date: 2017/03/27
-modified: 2021/09/21
references:
- https://awakesecurity.com/blog/threat-hunting-for-paexec/
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
+author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
+date: 2017/03/27
+modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
@@ -30,4 +30,4 @@ detection:
condition: selection and 1 of malsvc_*
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
index dc3f59989..9458b61d5 100644
--- a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
+++ b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
@@ -7,7 +7,7 @@ description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec)
status: experimental
author: Bartlomiej Czyz, Relativity
date: 2021/01/21
-modified: 2021/07/23
+modified: 2022/10/05
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
tags:
@@ -24,7 +24,7 @@ detection:
EventID: 4697
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
- ServiceStartType: '3' # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
+ ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
@@ -37,4 +37,4 @@ fields:
- ServiceFileName
falsepositives:
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
index aa946c489..f13e9b7b1 100644
--- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
+++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
@@ -3,14 +3,14 @@ id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
+status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
-status: experimental
-author: Teymur Kheirkhabarov, Ecco, Florian Roth
-date: 2019/10/26
-modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.t1134.001
@@ -46,11 +46,11 @@ detection:
- '.dll,a'
- '/p:'
condition: selection_id and selection
+falsepositives:
+ - Highly unlikely
+level: critical
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ServiceFileName
-falsepositives:
- - Highly unlikely
-level: critical
\ No newline at end of file
diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml
index 9d561344f..b9cd11de3 100644
--- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml
+++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml
@@ -3,13 +3,13 @@ id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
type: derived
+status: test
description: Detects powershell script installed as a Service
-status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/06
-modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1569.002
@@ -19,10 +19,10 @@ logsource:
detection:
selection:
EventID: 4697
- ServiceFileName|contains:
- - 'powershell'
- - 'pwsh'
+ ServiceFileName|contains:
+ - 'powershell'
+ - 'pwsh'
condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml
index 93f211542..c70802007 100644
--- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml
+++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml
@@ -3,11 +3,11 @@ id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
type: derived
+status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
-status: experimental
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019/10/24
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.t1048
@@ -21,4 +21,4 @@ detection:
condition: selection
falsepositives:
- Legitimate OpenVPN TAP insntallation
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml
index 8df4d41a1..557572482 100644
--- a/rules/windows/builtin/security/win_security_wmi_persistence.yml
+++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml
@@ -3,14 +3,14 @@ id: f033f3f3-fd24-4995-97d8-a3bb17550a88
related:
- id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
type: derived
-status: experimental
+status: test
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
-author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
-date: 2017/08/22
-modified: 2021/09/21
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+date: 2017/08/22
+modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
@@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml
index 8a9e41c67..5e6a5e882 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml
@@ -1,12 +1,12 @@
title: Multiple Users Attempting To Authenticate Using Explicit Credentials
id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
+status: test
description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
-status: experimental
-author: Mauricio Velazco
-date: 2021/06/01
-modified: 2021/08/09
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+author: Mauricio Velazco
+date: 2021/06/01
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_process.yml
index 793601100..ede9a2b5c 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_process.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_process.yml
@@ -1,13 +1,13 @@
title: Multiple Users Failing to Authenticate from Single Process
id: fe563ab6-ded4-4916-b49f-a3a8445fe280
+status: test
description: Detects failed logins with multiple accounts from a single process on the system.
-status: experimental
-author: Mauricio Velazco
-date: 2021/06/01
-modified: 2021/07/07
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
- https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
+author: Mauricio Velazco
+date: 2021/06/01
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml
index 3070617f2..e7a506127 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml
@@ -1,10 +1,10 @@
title: Failed Logins with Different Accounts from Single Source System
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+status: test
description: Detects suspicious failed logins with different user accounts from a single source system
-status: experimental
author: Florian Roth
date: 2017/01/10
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
@@ -19,10 +19,10 @@ detection:
- 4625
TargetUserName: '*'
WorkstationName: '*'
- condition: selection1 | count(TargetUserName) by WorkstationName > 3
+ condition: selection1 | count(TargetUserName) by WorkstationName > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml
index 2ecadc8de..9f5715956 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml
@@ -3,11 +3,11 @@ id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
related:
- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
type: derived
+status: test
description: Detects suspicious failed logins with different user accounts from a single source system
-status: experimental
author: Florian Roth
date: 2017/01/10
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
@@ -27,4 +27,4 @@ falsepositives:
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml
index 6f196b4bd..f307e2c31 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml
@@ -1,12 +1,12 @@
title: Valid Users Failing to Authenticate From Single Source Using Kerberos
id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
+status: test
description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
-status: experimental
-author: Mauricio Velazco, frack113
-date: 2021/06/01
-modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml
index 514d19b8a..bc2d4ed97 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml
@@ -1,12 +1,12 @@
title: Disabled Users Failing To Authenticate From Source Using Kerberos
id: 4b6fe998-b69c-46d8-901b-13677c9fb663
+status: test
description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
-status: experimental
-author: Mauricio Velazco, frack113
-date: 2021/06/01
-modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml
index c291444a9..dd9eac76a 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml
@@ -1,12 +1,12 @@
title: Invalid Users Failing To Authenticate From Source Using Kerberos
id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
+status: test
description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
-status: experimental
-author: Mauricio Velazco, frack113
-date: 2021/06/01
-modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml
index f7cde74cc..cd1430f74 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml
@@ -1,12 +1,12 @@
title: Valid Users Failing to Authenticate from Single Source Using NTLM
id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
+status: test
description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
-status: experimental
-author: Mauricio Velazco
-date: 2021/06/01
-modified: 2021/07/07
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+author: Mauricio Velazco
+date: 2021/06/01
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml
index 7ccd33f7c..0757aa7d5 100644
--- a/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml
@@ -1,12 +1,12 @@
title: Invalid Users Failing To Authenticate From Single Source Using NTLM
id: 56d62ef8-3462-4890-9859-7b41e541f8d5
+status: test
description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
-status: experimental
-author: Mauricio Velazco
-date: 2021/06/01
-modified: 2021/07/07
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+author: Mauricio Velazco
+date: 2021/06/01
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml
index 766aec3f6..f5d6dc3f1 100644
--- a/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml
+++ b/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml
@@ -1,12 +1,12 @@
title: Multiple Users Remotely Failing To Authenticate From Single Source
id: add2ef8d-dc91-4002-9e7e-f2702369f53a
+status: test
description: Detects a source system failing to authenticate against a remote host with multiple users.
-status: experimental
-author: Mauricio Velazco
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+author: Mauricio Velazco
date: 2021/06/01
-modified: 2021/07/09
+modified: 2022/10/09
tags:
- attack.t1110.003
- attack.initial_access
diff --git a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml
index c38a5a2f0..fc0b3263a 100644
--- a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml
+++ b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml
@@ -4,26 +4,26 @@ status: test
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
author: xknow @xknow_infosec
references:
- - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- - https://github.com/fox-it/LDAPFragger
+ - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+ - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+ - https://github.com/fox-it/LDAPFragger
date: 2019/03/24
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- product: windows
- service: security
+ product: windows
+ service: security
detection:
- selection:
- EventID: 5136
- AttributeValue: '*'
- AttributeLDAPDisplayName:
- - 'primaryInternationalISDNNumber'
- - 'otherFacsimileTelephoneNumber'
- - 'primaryTelexNumber'
- condition: selection
+ selection:
+ EventID: 5136
+ AttributeValue|contains: '*'
+ AttributeLDAPDisplayName:
+ - 'primaryInternationalISDNNumber'
+ - 'otherFacsimileTelephoneNumber'
+ - 'primaryTelexNumber'
+ condition: selection
falsepositives:
- - Companies, who may use these default LDAP-Attributes for personal information
+ - Companies, who may use these default LDAP-Attributes for personal information
level: high
tags:
- - attack.t1001.003
- - attack.command_and_control
+ - attack.t1001.003
+ - attack.command_and_control
diff --git a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml
index d44cab80b..a94bacbef 100644
--- a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml
+++ b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml
@@ -1,12 +1,12 @@
title: Suspicious Windows ANONYMOUS LOGON Local Account Created
id: 1bbf25b9-8038-4154-a50b-118f2a32be27
-status: experimental
+status: test
description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
references:
- https://twitter.com/SBousseaden/status/1189469425482829824
author: James Pemberton / @4A616D6573
date: 2019/10/31
-modified: 2021/07/06
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1136.001
@@ -17,7 +17,7 @@ logsource:
detection:
selection:
EventID: 4720
- SamAccountName|contains|all:
+ SamAccountName|contains|all:
- 'ANONYMOUS'
- 'LOGON'
condition: selection
diff --git a/rules/windows/builtin/security/win_susp_lsass_dump.yml b/rules/windows/builtin/security/win_susp_lsass_dump.yml
index 9046f32d1..c83f32e84 100644
--- a/rules/windows/builtin/security/win_susp_lsass_dump.yml
+++ b/rules/windows/builtin/security/win_susp_lsass_dump.yml
@@ -1,12 +1,12 @@
title: Password Dumper Activity on LSASS
id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
+status: test
description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
-status: experimental
-author: sigma
-date: 2017/02/12
-modified: 2021/06/21
references:
- https://twitter.com/jackcr/status/807385668833968128
+author: sigma
+date: 2017/02/12
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml
index 3a896b3de..2491674c6 100644
--- a/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml
+++ b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml
@@ -1,10 +1,10 @@
title: Suspicious Access to Sensitive File Extensions
id: 91c945bc-2ad1-4799-a591-4d00198a1215
+status: test
description: Detects known sensitive file extensions accessed on a network share
-status: experimental
author: Samir Bousseaden
date: 2019/04/03
-modified: 2021/08/09
+modified: 2022/10/09
tags:
- attack.collection
- attack.t1039
@@ -28,12 +28,12 @@ detection:
- '\groups.xml'
- '.rdp'
condition: selection
+falsepositives:
+ - Help Desk operator doing backup or re-imaging end user machine or backup software
+ - Users working with these data types or exchanging message files
+level: medium
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- RelativeTargetName
-falsepositives:
- - Help Desk operator doing backup or re-imaging end user machine or backup software
- - Users working with these data types or exchanging message files
-level: medium
diff --git a/rules/windows/builtin/security/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml
index b685533d3..8087c1167 100644
--- a/rules/windows/builtin/security/win_susp_rottenpotato.yml
+++ b/rules/windows/builtin/security/win_susp_rottenpotato.yml
@@ -1,12 +1,12 @@
title: RottenPotato Like Attack Pattern
id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
-status: experimental
+status: test
description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
references:
- https://twitter.com/SBousseaden/status/1195284233729777665
author: '@SBousseaden, Florian Roth'
date: 2019/11/15
-modified: 2021/07/07
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.credential_access
diff --git a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml
index b84cc7e45..4ae331733 100644
--- a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml
+++ b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml
@@ -9,7 +9,7 @@ references:
- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
date: 2020/07/14
-modified: 2022/08/19
+modified: 2022/10/05
logsource:
product: windows
service: security
@@ -20,7 +20,7 @@ detection:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectValueName: 'Enabled'
- NewValue: '0'
+ NewValue: 0
selection2:
EventID: 4663
ObjectName|contains:
diff --git a/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml
index 12ed9a6da..b230cae6f 100644
--- a/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml
+++ b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml
@@ -1,14 +1,15 @@
title: HybridConnectionManager Service Running
id: b55d23e5-6821-44ff-8a6e-67218891e49f
+status: test
description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
-status: experimental
-date: 2021/04/12
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.persistence
- - attack.t1554
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1554
logsource:
product: windows
service: microsoft-servicebus-client
diff --git a/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
index 7a6fae07e..b9567742e 100644
--- a/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
+++ b/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
@@ -1,15 +1,17 @@
title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
+status: test
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
-author: Florian Roth, KevTheHermit, fuzzyf10w
-status: experimental
-level: medium
references:
- https://twitter.com/KevTheHermit/status/1410203844064301056
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
+author: Florian Roth, KevTheHermit, fuzzyf10w
date: 2021/06/30
-modified: 2021/07/05
+modified: 2022/10/09
+tags:
+ - attack.credential_access
+ - attack.t1110.001
logsource:
product: windows
service: smbclient-security
@@ -20,11 +22,9 @@ detection:
UserName: ''
ServerName|startswith: '\1'
condition: selection
+falsepositives:
+ - Account fallback reasons (after failed login with specific account)
+level: medium
fields:
- Computer
- User
-falsepositives:
- - Account fallback reasons (after failed login with specific account)
-tags:
- - attack.credential_access
- - attack.t1110.001
\ No newline at end of file
diff --git a/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
index 7e7a6f2a7..5e7dc1884 100644
--- a/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
+++ b/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
@@ -1,18 +1,18 @@
title: CobaltStrike Service Installations
id: 5a105d34-05fc-401e-8553-272b45c1522d
+status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
-status: experimental
-author: Florian Roth, Wojciech Lesicki
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+author: Florian Roth, Wojciech Lesicki
date: 2021/05/26
-modified: 2021/09/30
+modified: 2022/10/09
tags:
- attack.execution
- attack.privilege_escalation
- - attack.lateral_movement
+ - attack.lateral_movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
@@ -24,11 +24,11 @@ detection:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection1:
- ImagePath|contains|all:
+ ImagePath|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
- ImagePath|contains|all:
+ ImagePath|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
@@ -39,4 +39,4 @@ detection:
condition: selection_id and (selection1 or selection2 or selection3 or selection4)
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_krbrelayup_service_installation.yml
similarity index 60%
rename from rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
rename to rules/windows/builtin/system/win_krbrelayup_service_installation.yml
index be5946b1c..e0abe1a08 100644
--- a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
+++ b/rules/windows/builtin/system/win_krbrelayup_service_installation.yml
@@ -4,20 +4,20 @@ status: experimental
description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)
author: Sittikorn S, Tim Shelton
date: 2022/05/11
-updated: 2022/05/16
+modified: 2022/10/05
references:
- - https://github.com/Dec0ne/KrbRelayUp
+ - https://github.com/Dec0ne/KrbRelayUp
logsource:
- product: windows
- service: system
+ product: windows
+ service: system
detection:
- selection:
- EventID: '7045'
- ServiceName: 'KrbSCM'
- condition: selection
+ selection:
+ EventID: 7045
+ ServiceName: 'KrbSCM'
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: high
tags:
- - attack.privilege_escalation
- - attack.t1543
+ - attack.privilege_escalation
+ - attack.t1543
diff --git a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/win_system_application_sysmon_crash.yml
index f37ffc68a..730cec3cd 100644
--- a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml
+++ b/rules/windows/builtin/system/win_system_application_sysmon_crash.yml
@@ -5,17 +5,17 @@ description: Detects application popup reporting a failure of the Sysmon service
author: Tim Shelton
date: 2022/04/26
logsource:
- product: windows
- service: system
+ product: windows
+ service: system
detection:
- selection:
- Provider_Name: 'Application Popup'
- EventID: 26
- Caption: 'sysmon64.exe - Application Error'
- condition: selection
+ selection:
+ Provider_Name: 'Application Popup'
+ EventID: 26
+ Caption: 'sysmon64.exe - Application Error'
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: high
tags:
- - attack.t1562
- - attack.impair_defenses
+ - attack.defense_evasion
+ - attack.t1562
diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml
index 21f32acef..82e57a8e2 100644
--- a/rules/windows/builtin/windefend/win_defender_history_delete.yml
+++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml
@@ -1,12 +1,12 @@
title: Windows Defender Malware Detection History Deletion
id: 2afe6582-e149-11ea-87d0-0242ac130003
-status: experimental
+status: test
description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
-author: Cian Heasley
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
+author: Cian Heasley
date: 2020/08/13
-modified: 2021/05/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1070.001
@@ -18,9 +18,9 @@ detection:
EventID: 1013
EventType: 4
condition: selection
-fields:
- - EventID
- - EventType
falsepositives:
- Deletion of Defender malware detections history for legitimate reasons
level: high
+fields:
+ - EventID
+ - EventType
diff --git a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml
index fd8ae4cfe..bf93e948c 100644
--- a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml
+++ b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml
@@ -1,15 +1,15 @@
title: DNS HybridConnectionManager Service Bus
id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
+status: test
description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
-status: experimental
-date: 2021/04/12
-modified: 2021/06/10
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.persistence
- - attack.t1554
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1554
logsource:
product: windows
category: dns_query
diff --git a/rules/windows/dns_query/dns_query_win_mega_nz.yml b/rules/windows/dns_query/dns_query_win_mega_nz.yml
index 31d9cafc3..47fd48c93 100644
--- a/rules/windows/dns_query/dns_query_win_mega_nz.yml
+++ b/rules/windows/dns_query/dns_query_win_mega_nz.yml
@@ -1,21 +1,22 @@
title: DNS Query for MEGA.io Upload Domain
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
+status: test
description: Detects DNS queries for subdomains used for upload to MEGA.io
-status: experimental
-date: 2021/05/26
-author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.t1567.002
-falsepositives:
- - Legitimate Mega upload
-level: high
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: userstorage.mega.co.nz
- condition: selection
\ No newline at end of file
+ condition: selection
+falsepositives:
+ - Legitimate Mega upload
+level: high
diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml
index 22db73948..5254f8c26 100644
--- a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml
+++ b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml
@@ -3,14 +3,14 @@ id: 36e037c4-c228-4866-b6a3-48eb292b9955
related:
- id: c7e91a02-d771-4a6d-a700-42587e0b1095
type: derived
-status: experimental
+status: test
description: Detects network connections and DNS queries initiated by Regsvr32.exe
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019/10/25
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1559.001
@@ -23,12 +23,12 @@ detection:
selection:
Image|endswith: '\regsvr32.exe'
condition: selection
+falsepositives:
+ - Unknown
+level: high
fields:
- ComputerName
- User
- Image
- DestinationIp
- DestinationPort
-falsepositives:
- - Unknown
-level: high
\ No newline at end of file
diff --git a/rules/windows/dns_query/dns_query_win_susp_ipify.yml b/rules/windows/dns_query/dns_query_win_susp_ipify.yml
index cf893946b..524131a9e 100644
--- a/rules/windows/dns_query/dns_query_win_susp_ipify.yml
+++ b/rules/windows/dns_query/dns_query_win_susp_ipify.yml
@@ -1,25 +1,22 @@
title: Suspicious DNS Query for IP Lookup Service APIs
id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
+status: test
description: Detects DNS queries for ip lookup services such as api.ipify.org not originating from a browser process.
-status: experimental
-date: 2021/07/08
-modified: 2021/09/10
-author: Brandon George (blog post), Thomas Patzke (rule)
references:
- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
- https://twitter.com/neonprimetime/status/1436376497980428318
+author: Brandon George (blog post), Thomas Patzke (rule)
+date: 2021/07/08
+modified: 2022/10/09
tags:
- attack.reconnaissance
- attack.t1590
-falsepositives:
- - Legitimate usage of ip lookup services such as ipify API
-level: medium
logsource:
product: windows
category: dns_query
detection:
dns_request:
- QueryName:
+ QueryName:
- canireachthe.net
- ipv4.icanhazip.com
- ip.anysrc.net
@@ -45,3 +42,6 @@ detection:
- \msedge.exe
- \vivaldi.exe
condition: dns_request and not browser_process
+falsepositives:
+ - Legitimate usage of ip lookup services such as ipify API
+level: medium
diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
index 172b3e23f..a927e7883 100644
--- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -3,14 +3,14 @@ id: d585ab5a-6a69-49a8-96e8-4a726a54de46
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
+status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
-status: experimental
-author: Teymur Kheirkhabarov, Ecco, Florian Roth
-date: 2019/10/26
-modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.t1134.001
@@ -44,11 +44,11 @@ detection:
- '.dll,a'
- '/p:'
condition: selection
+falsepositives:
+ - Highly unlikely
+level: critical
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ImagePath
-falsepositives:
- - Highly unlikely
-level: critical
\ No newline at end of file
diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
index 1bb1c9653..32b2a6e80 100644
--- a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
+++ b/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
@@ -3,13 +3,13 @@ id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
type: derived
+status: test
description: Detects powershell script installed as a Service
-status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/06
-modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1569.002
@@ -18,10 +18,10 @@ logsource:
category: driver_load
detection:
selection:
- ImageLoaded|contains:
- - 'powershell'
- - 'pwsh'
+ ImageLoaded|contains:
+ - 'powershell'
+ - 'pwsh'
condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml
index 55f55661b..9c37a3d38 100644
--- a/rules/windows/driver_load/driver_load_vuln_drivers.yml
+++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml
@@ -1,721 +1,919 @@
title: Vulnerable Driver Load
id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
status: experimental
-description: Detects the load of known vulnerable drivers
+description: Detects the load of known vulnerable drivers by hash value
author: Nasreddine Bencherchali
references:
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+ - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
+ - https://github.com/jbaines-r7/dellicious
+ - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+ - https://github.com/namazso/physmem_drivers
+ - https://github.com/stong/CVE-2020-15368
+ - https://github.com/CaledoniaProject/drivers-binaries
date: 2022/08/18
-modified: 2022/09/01
+modified: 2022/10/03
logsource:
product: windows
category: driver_load
detection:
selection_sysmon:
Hashes|contains:
- - 'SHA1=80FA962BDFB76DFCB9E5D13EFC38BB3D392F2E77'
- - 'SHA1=5A7DD0DA0AEE0BDEDC14C1B7831B9CE9178A0346'
- - 'SHA1=1ACC7A486B52C5EE6619DBDC3B4210B5F48B936F'
- - 'SHA1=55AB7E27412ECA433D76513EDC7E6E03BCDD7EDA'
- - 'SHA1=1E7C241B9A9EA79061B50FB19B3D141DEE175C27'
- - 'SHA1=E5C090903A20744BA3583A8EA684D035E8CECC34'
- - 'SHA1=CA5FF4EB8CCBDE4EFF3491FD7941769E8D093D79'
- - 'SHA1=C92148D0666F2235500805975BE79738B84E48C2'
- - 'SHA1=F8270F774B3549079EA7D5F0D5406F307019BDFB'
- - 'SHA1=61E1B497A5DF0797527D6D465A8F315A82AD35EB'
- - 'SHA1=708855DB4202A792862E1139D673C3B4B713053C'
- - 'SHA1=2E6D61FA32E12FE4ABF7B7D87AA6824F5F528000'
- - 'SHA1=5F9C7D3552FFA98C9DCF9A9B7AD1263D2AB24A2F'
- - 'SHA1=55A90E7822A1444FAE81371DF7296CC5642FB353'
- - 'SHA1=085529E58BE3806D396F1BB15FF078FD4C471AAB'
- - 'SHA1=D0580BFC31FAEFB7E017798121C5B8A4E68155F9'
- - 'SHA1=B419D69A4ED8D4EABD90A155ED15C3374BEA6FFC'
- - 'SHA1=4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF'
- - 'SHA1=EA360A9F23BB7CF67F08B88E6A185A699F0C5410'
- - 'SHA1=0F780B7ADA5DD8464D9F2CC537D973F5AC804E9C'
- - 'SHA1=B3410021EA5A46818D9FF05A96C2809A9ABE8E4A'
- - 'SHA1=490F85E291C4D9ED0AB8457CE6B424C0F3F7E7AC'
- - 'SHA1=C28B640BECA5E2834D2A373F139869CC309F6631'
- - 'SHA1=282BB241BDA5C4C1B8EB9BF56D018896649CA0E1'
- - 'SHA1=8CC8974A05E81678E3D28ACFE434E7804ABD019C'
- - 'SHA1=E09B5E80805B8FE853EA27D8773E31BFF262E3F7'
- - 'SHA1=E3C1DD569AA4758552566B0213EE4D1FE6382C4B'
- - 'SHA1=50E2BC41F0186FDCE970B80E2A2CB296353AF586'
- - 'SHA1=485C0B9710A196C7177B99EE95E5DDB35B26DDD1'
- - 'SHA1=1D1CAFC73C97C6BCD2331F8777D90FDCA57125A3'
- - 'SHA1=69006FBBD1B150FB9404867A5BCDC04FE0FC1BAD'
- - 'SHA1=4EAE38E9DC262EB7B6EDE4B3D3F4AD068933845E'
- - 'SHA1=51E0740AAEE5AE76B0095C92908C97B817DB8BEA'
- - 'SHA1=D99B80B3269D735CAC43AF5E43483E64CA7961C3'
- - 'SHA1=EEFF4EC4EBC12C6ACD2C930DC2EAAF877CFEC7EC'
- - 'SHA1=4789B910023A667BEE70FF1F1A8F369CFFB10FE8'
- - 'SHA1=7838FB56FDAB816BC1900A4720EEA2FC9972EF7A'
- - 'SHA1=10E15BA8FF8ED926DDD3636CEC66A0F08C9860A4'
- - 'SHA1=E4436C8C42BA5FFABD58A3B2256F6E86CCC907AB'
- - 'SHA1=08596732304351B311970FF96B21F451F23B1E25'
- - 'SHA1=BC2F3850C7B858340D7ED27B90E63B036881FD6C'
- - 'SHA1=E74B6DDA8BC53BC687FC21218BD34062A78D8467'
- - 'SHA1=2C27ABBBBCF10DFB75AD79557E30ACE5ED314DF8'
- - 'SHA1=FAA870B0CB15C9AC2B9BBA5D0470BD501CCD4326'
- - 'SHA1=8241C9A5755A740811C8E8D2739B33146ACD3E6D'
- - 'SHA1=4B8C0445075F09AEEF542AB1C86E5DE6B06E91A3'
- - 'SHA1=E014C6BEBFDA944CE3A58AB9FE055D4F9367D49C'
- - 'SHA1=E5A152BB57060C2B27E825258698BD7FF67907FF'
- - 'SHA1=ACA8E53483B40A06DFDEE81BB364B1622F9156FE'
- - 'SHA1=83767982B3A5F70615A386F4D6638F20509F3560'
- - 'SHA1=8F0B99B53EB921547AFECF1F12B3299818C4E5D1'
- - 'SHA1=295E590D49DF717C489C5C824E9C6896A14248BB'
- - 'SHA1=7A43BE821832E9BF55B1B781AE468179D0E4F56E'
- - 'SHA1=05AC1C64CA16AB0517FE85D4499D08199E63DF26'
- - 'SHA1=4BBB9709D5F916FE78EAA15431F622761EFC496F'
- - 'SHA1=150F5DAE8716B09A64CAC96862F5E2506A71E771'
- - 'SHA1=3DEBE170B5A113407F9E86EE6ED9AE00C3D82C9F'
- - 'SHA1=73857ACDD7D7C9235F3E18C503A27E7C88C5FCB0'
- - 'SHA1=8BC75E18953B7B23991B2FBC79713E1E175F75E4'
- - 'SHA1=A2DA5C397F737FA55D8F93D3CED5EB70AE09801F'
- - 'SHA1=C58B6EF848CA87AD9EC4368C45C8F1EB7FA6BD16'
- - 'SHA1=74CBC407ACD9D2A4BC609B2F8C9A09B90912D10C'
- - 'SHA1=1923D1F21FAFFCD7D511E2B313FE9415E6AD90AE'
- - 'SHA1=F3E60B7B9C53315D6158F82596919209A00E1CDA'
- - 'SHA1=AA97BF43E6BAD521F3A3D8081FB350C89382F06F'
- - 'SHA1=4604A20CAE2DFE42320FE8F6AED000EC204EFA7E'
- - 'SHA1=60A632E4B838731AAD553650D6BC8AF3D3D80B26'
- - 'SHA1=03F0DD3124EC3A4BB6D30865A488F54E74DED699'
- - 'SHA1=8A50E81D6E6C45410BF13F95B1A67CADA8C82221'
- - 'SHA1=83660D245FE618ECAFE4900AC1E2AD0292C2DA2A'
- - 'SHA1=202D5A05E546740037F9A4DC2B21F71680C39D3B'
- - 'SHA1=560D8869D48A71E59601B76240E9A6CFFB068C9C'
- - 'SHA1=7C1BA790CA2AA03F30413D02F3A812FCCA1AB29F'
- - 'SHA1=969A945C93F54FCBF17548903131D4B86042DF7B'
- - 'SHA1=64309DB7AF8665368636186805745126B8BD5BFE'
- - 'SHA1=1F7804D9185B1910C43BD4104D58B96994FF8E49'
- - 'SHA1=2A506E2512C9083419B7741B4499E012CDC60204'
- - 'SHA1=1236573A309C4EDB52E050E53E73188183C23E7E'
- - 'SHA1=22C5E127E7E7C567D8624607A6F8F5809DEACB55'
- - 'SHA1=DC38CC55B84A1A7C0846FB5509B43B4FF97A9BE6'
- - 'SHA1=AA937F73A8AFCDA98E868F4AEEB0EB81A4150075'
- - 'SHA1=481488488CF7BB5CD470B62600A3570A1711ABAA'
- - 'SHA1=C58BEBEF6A92F5A5B37BE0394695E8E18A42867F'
- - 'SHA1=7AA2C4C51AFC1C82BEAE55AB9CA7BA0BB588B5C0'
- - 'SHA1=FD081F7A372B939DB8523E222D118B87450D3D19'
- - 'SHA1=E343AA3981393778F32DF94EFAC90FE35D6933A9'
- - 'SHA1=002223FDDC5658EA22B7A8979984A9B54F63B316'
- - 'SHA1=1CF3B0A2A0B47477A840ADC2B520401E18AF16D6'
- - 'SHA1=F50B475D5FD1ED4F866BF43342676E449F779C67'
- - 'SHA1=C4FE0CBB8DA5BF1E02EC6D7A0F97D740955DDD97'
- - 'SHA1=3AE56AB63230D6D9552360845B4A37B5801CC5EA'
- - 'SHA1=B04ECC8DD0D52FE4552D2C4D693D67FAE20C460F'
- - 'SHA1=710BBA7C3D6CAC7B62AB05E6B12274D1548985E6'
- - 'SHA1=67650BC9CDF0716BC7B5664723C38FC5327EC662'
- - 'SHA1=39F934078A060BAD2D58B5DBA8F8884903D697A7'
- - 'SHA1=CEC5447D0529F97C4BF4A012EA58AAB07139FFE0'
- - 'SHA1=0D523E8B0B96675AC2E5AC0D56C367564B260545'
- - 'SHA1=69D6B4032F1456506382885EBA5B396F1C36841B'
- - 'SHA1=738CF0AFB7ECDF35A92667C8802D512A0CAF353C'
- - 'SHA1=D85C6097A2279301222B6A06B93296ACE669A76D'
- - 'SHA1=61258963D900C2A39408EF4B51F69F405F55E407'
- - 'SHA1=8403A17AE001FEF3488C2E641E2BE553CD5B478D'
- - 'SHA1=0CE54B617DE11C24670064960B736EF9C47A5F15'
- - 'SHA1=82F8D4BA137FA4B0DA20E8CD1968A7AAEA803DBC'
- - 'SHA1=00B4FDC0F7F28DDECD5B4E5880A71E7F08B5F825'
- - 'SHA1=3C20BB896FD16B5C698185FB176E820A448997B3'
- - 'SHA1=6A784D45517142C11D5CCA3FF9956B2ED6EAF4C9'
- - 'SHA1=4E5E719362CD48BB323803C1D00AFDE11D4B9D4C'
- - 'SHA1=FD8A340CD071BC98E6EEAC9BBD4AC8A78688BC17'
- - 'SHA1=EC7947AD1919C8F60BC973B96DA4132A1EA396E0'
- - 'SHA1=2A95F882DD9BAFCC57F144A2708A7EC67DD7844C'
- - 'SHA1=C9CC3779ED67755220DBF9592EC2AC0E1DE363DC'
- - 'SHA1=B0EC7D971DA8AE84C0ED8F88A5D46B23996E636C'
- - 'SHA1=6980122AEF4E2D5D7A6DDDB6DA76A166C460E0A1'
- - 'SHA1=DA21F5889F8374C3961856D681ADEC3D663D2964'
- - 'SHA1=C5057A4FD3C9B58F4C9AB9FE356081DF8804BF98'
- - 'SHA1=FC5F231383FE72E298893010A9A3714B205C4110'
- - 'SHA1=3281135748C9C7A9DDACE55C648C720AF810475F'
- - 'SHA1=26C398B86FD33B3E6C4348F780C4CF758C99C8FD'
- - 'SHA1=5107438A02164E1BCEDD556A786F37F59CD04231'
- - 'SHA1=316E7872A227F0EAD483D244805E9FF4D3569F6F'
- - 'SHA1=588A9F349E520AA5AC5BD650B75345419B28AE85'
- - 'SHA1=66941573DAFD7259CBA113C0FA9EACCD347355FD'
- - 'SHA1=C3596085C90D81C2C51A75558211AD44C853C358'
- - 'SHA1=02A7E085631ECFE031B76AFA883A266C850ED61B'
- - 'SHA1=6BD3AB2E730561F7D1385DCFEF81C1FA67398C8C'
- - 'SHA1=8B86E08D610BCC9AB7B7750F036DBB568F733BE0'
- - 'SHA1=179601E33B5AE4E2EA13F34FD084B1FCBD56FBCE'
- - 'SHA1=DCDB7BF7E237B9BDA190F60E386A49A7C3494F8D'
- - 'SHA1=E8F7E20061F9CC20583DCAB3B16054D106B8AA83'
- - 'SHA1=36875A862D1E762E6CC75595EF37EA7460A1E1DF'
- - 'SHA1=B423CA58603513B5D3A9669736D5E13C353FD6F9'
- - 'SHA1=AE806CA05E141B71664D9C6F20CC2369EF26F996'
- - 'SHA1=D0559503988DAA407FCC11E59079560CB456BB84'
- - 'SHA1=0CB0FD5BEA730E4EAAEC1426B0C15376CCAC6D83'
- - 'SHA1=D4E21C205DE75CDE70CD73C52C646E1E5D333A35'
- - 'SHA1=7E732ACB7CFAD9BA043A9350CDEFF25D742BECB8'
- - 'SHA1=CDE1A50E1DF7870F8E4AFD8631E45A847C714C0A'
- - 'SHA1=07660D1867E20BE0212A96CBA6B5FE6BE7776EAF'
- - 'SHA1=B2CD3A63D04EAE427BEDE6C6FE8FACBA91ECECBF'
- - 'SHA1=877C6C36A155109888FE1F9797B93CB30B4957EF'
- - 'SHA1=A7D827A41B2C4B7638495CD1D77926F1BA902978'
- - 'SHA1=0C2599D738D01A82EC91725F499ACEBBCFB47CC9'
- - 'SHA1=C978063E678233C5EFB8F002FEF000FD479CC632'
- - 'SHA1=3C9F40AC72B0202CB40627FDEB7298079187193A'
- - 'SHA1=6E7D8ABF7F81A2433F27B052B3952EFC4B9CC0B1'
- - 'SHA1=E3DBE2AA03847DF621591A4CAD69A5609DE5C237'
- - 'SHA1=F3821EC0AEF270F749DF9F44FBA91AFA5C8C38E8'
- - 'SHA1=12EB825418A932B1E4C6697DC7647E89AE52CF3F'
- - 'SHA1=497AFEB0D5B97D4B863704A2F77FFEF31220402D'
- - 'SHA1=706686F2A1EF4738A1856D01AB10EB730FC7B327'
- - 'SHA1=05E20D0274A4FCC5368F25C62174003A555917E7'
- - 'SHA1=EBF8C7DC8292950ACC260A0E473678AE3C56B210'
- - 'SHA1=0D1DC447860DC9B9B7FA278FF16120E14064517C'
- - 'SHA1=FCA1EE04BE5D7752A1AD717A6AAC9C143C5C8BCD'
- - 'SHA1=A14331F63EC907BF3E472F1E0CB8F19DE06EF4E4'
- - 'SHA1=8EC43D1DEF8BB20354AEBA49A9084BACD2C02817'
- - 'SHA1=708EAD1221FB176AA9594F9E0AA7F783704FB962'
- - 'SHA1=F1BDD3236F43338A119D74ECA730F0D464DED973'
- - 'SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3'
- - 'SHA1=f023177aca17f6dc90fdd9588240cb16c70a9fe2'
- - 'SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562'
- - 'SHA1=8b860c5d34254290769d40d703625f774c213e00'
- - 'SHA1=6a8c00b703a5d6b8c82878628978db9bf282d6ae'
- - 'SHA1=8fa3636a7697f953d7daa02a313981b9e3bc98e4'
- - 'SHA1=125ea078bc3cc79b34bec8141391acaf2d69ffe2'
- - 'SHA1=7cb3ea53660dbc1b4fe12e0c03c7bfea0a3c92a2'
- - 'SHA1=70d5b0be6ed51e43c0a19b773cead8793257bbc1'
- - 'SHA1=4a4609839b846f384f1b6f3a9a945bf3119d2f9c'
- - 'SHA1=04e8a8d30869cf60ad42825667224d5cd01ade15'
- - 'SHA1=f5bf9d483e0a204e7ff59fc092b4e580951802ca'
- - 'SHA1=8b04023990d18dcd5cc4c5538b332b017f3962fc'
- - 'SHA1=73338b8931a3c265e8b544fa17de3056a3e56b59'
- - 'SHA1=657a875554b075eb7f2d314bbbe967c789624b30'
- - 'SHA1=0e23cd5f100a035bd5ad521a6ad40454fda084c7'
- - 'SHA1=aee092fd31772d33932a7a02dd2d73ede67f7db0'
- - 'SHA1=118f688c30a2f6c2d1feb955f53ce4acf3086b3b'
- - 'SHA1=4ede7f018c317ddc6a5f8f935f917621668cb1ec'
- - 'SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775'
- - 'SHA1=10b30bdee43b3a2ec4aa63375577ade650269d25'
+ # List below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT
+ - 'SHA1=2261198385d62d2117f50f631652eded0ecc71db'
+ - 'SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc'
+ - 'SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f'
+ - 'SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd'
+ - 'SHA1=21e6c104fe9731c874fab5c9560c929b2857b918'
+ - 'SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2'
+ - 'SHA1=2f991435a6f58e25c103a657d24ed892b99690b8'
+ - 'SHA1=f02af84393e9627ba808d4159841854a6601cf80'
+ - 'SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe'
+ - 'SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba'
+ - 'SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705'
+ - 'SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa'
+ - 'SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124'
+ - 'SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2'
+ - 'SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b'
+ - 'SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc'
+ - 'SHA1=72966ca845759d239d09da0de7eebe3abe86fee3'
+ - 'SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de'
+ - 'SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7'
+ - 'SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e'
+ - 'SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741'
+ - 'SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95'
+ - 'SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86'
+ - 'SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65'
+ - 'SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13'
+ - 'SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b'
+ - 'SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb'
+ - 'SHA1=468e2e5505a3d924b14fedee4ddf240d09393776'
+ - 'SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8'
+ - 'SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f'
+ - 'SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123'
+ - 'SHA1=623cd2abef6c92255f79cbbd3309cb59176771da'
+ - 'SHA1=1f3a9265963b660392c4053329eb9436deeed339'
+ - 'SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c'
+ - 'SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d'
+ - 'SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb'
+ - 'SHA1=c834c4931b074665d56ccab437dfcc326649d612'
+ - 'SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c'
+ - 'SHA1=51b60eaa228458dee605430aae1bc26f3fc62325'
+ - 'SHA1=3270720a066492b046d7180ca6e60602c764cac7'
+ - 'SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131'
+ - 'SHA1=19bd488fe54b011f387e8c5d202a70019a204adf'
+ - 'SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e'
+ - 'SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344'
+ - 'SHA1=205c69f078a563f54f4c0da2d02a25e284370251'
+ - 'SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6'
+ - 'SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac'
+ - 'SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7'
+ - 'SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843'
+ - 'SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417'
+ - 'SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181'
+ - 'SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526'
+ - 'SHA1=0307d76750dd98d707c699aee3b626643afb6936'
+ - 'SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a'
+ - 'SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946'
+ - 'SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d'
+ - 'SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0'
+ - 'SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe'
+ - 'SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0'
+ - 'SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e'
+ - 'SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d'
+ - 'SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0'
+ - 'SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2'
+ - 'SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57'
- 'SHA1=c948ae14761095e4d76b55d9de86412258be7afd'
- - 'SHA256=80599708CE61EC5D6DCFC5977208A2A0BE2252820A88D9BA260D8CDF5DC7FBE4'
- - 'SHA256=9091E044273FF624585235AC885EB2B05DFB12F3022DCF535B178FF1B2E012D1'
- - 'SHA256=92EDD48DFAC025D4069EB6491B9730D9D131B77CCEAA480AF9B3C32BC8C5E3A9'
- - 'SHA256=F84634B5C0E83CA9BB25928DC3C4FC05D37451C23B780DBEEB1F10F056F1EEEE'
- - 'SHA256=C1B41D6B91448E2409BB2F4FBF4AEB952ADF373D0DECC9D052277B89BA401407'
- - 'SHA256=1056806F6508B4F5E8A00A6E8D07AEAC06A1BE5F9B92F1684F33682D2DA9349E'
- - 'SHA256=9DCFD796E244D0687CC35EAC9538F209F76C6DF12DE166F19DBC7D2C47FB16B3'
- - 'SHA256=D8841803F181F735D8794C82BA52D8C484B3B0A95DBBB66114314F439B75B0E9'
- - 'SHA256=19C74EA0E0BAF04820E5642BD2FA224158801ED966BE1041539E3C55BD65C471'
- - 'SHA256=A3C9C5625BA6A6075D365543603A4DD4D7790850753D5289FF976EB2A839910F'
- - 'SHA256=739C11FDB8673AB5B78F1A874DAF5BA3FADDB7910A6D4E0CC49ABD8B8537333F'
- - 'SHA256=BE5653E4C1ED75A451BE4297FF233A22C7AAB93B2126CA428834E83CADFF5E9C'
- - 'SHA256=C767A5895119154467AC3FCE8E82C20E6538A4E54F6C109001C61F8ABD58F9F8'
- - 'SHA256=14141F03EFF7C2F44BFED93524F4EC64ABDC8F3D45D55B1BCB5701CA354319FD'
- - 'SHA256=FEE4560F2160A951D83344857EB4587AB10C1CFD8C5CFC23B6F06BEF8EBCD984'
- - 'SHA256=B00060733F88E3897D4B1E4732DF67FF277A8D615F84E6EFAB98C79C72CBA370'
- - 'SHA256=11EECF9E6E2447856ED4CF86EE1CB779CFE0672C808BBD5934CF2F09A62D6170'
- - 'SHA256=23E39D9E40235A5C456260E03CACCC186FE79FFD7D0439AEA7530EBB0380946D'
- - 'SHA256=B6BF2460E023B1005CC60E107B14A3CFDF9284CC378A086D92E5DCDF6E432E2C'
- - 'SHA256=E22B7BA6D064C75913C3BDADAF7AADA535DDDD83175D8A47467FED5ABC56D5AC'
- - 'SHA256=7FD788358585E0B863328475898BB4400ED8D478466D1B7F5CC0252671456CC8'
- - 'SHA256=BB83738210650E09307CE869ACA9BFA251024D3C47B1006B94FCE2846313F56E'
- - 'SHA256=0381632CD236CD94FA9E64CCC958516AC50F9437F99092E231A607B1E6BE6CF8'
- - 'SHA256=9378F7DFF94D9409D38FA1A125C52734D6BAEA90913FC3CEE2659FD36AB0DA29'
- - 'SHA256=FAA08CB609A5B7BE6BFDB61F1E4A5E8ADF2F5A1D2492F262483DF7326934F5D4'
- - 'SHA256=42589C7CE89941060465096C4661654B43E38C1F9D05D66239825E8FCCF52705'
- - 'SHA256=96EE751F7C38731E97773E07E0F13F4DD361AF9AAA1D30B41652C2E6EFC3FB3E'
- - 'SHA256=862A262E7AF92599E6B10035B8A3C988078B92BA791A6230A85FD6D1ECEC88C7'
- - 'SHA256=FE4270A61DBED978C28B2915FCC2826D011148DCB7533FA8BD072DDCE5944CEF'
- - 'SHA256=7E2AD3D6D76F4FCD4583B865FFC12DE6C44FC16CBCBB81D480CB067F2A860422'
- - 'SHA256=97B976F7E7E5DF7AF0781BBBB33CB5F3F7A59EFDD07995253B31DE8123352A67'
- - 'SHA256=1ED9DA2DA2539284404E0701E6BA3C9EB37BE10353E826F425A194D247B8B7CE'
- - 'SHA256=FEEF191064D18B6FB63B7299415D1B1E2EC8FCDD742854AA96268D0EC4A0F7B6'
- - 'SHA256=2D48414647A7F9DEA30F19074EBF8F17E55E9031B8604794CEB88369C8C52532'
- - 'SHA256=7B7E0E1453E733050B586A6FAC91883DBB85AE0775C84C4CEB967CFC9B4EFD10'
- - 'SHA256=0893E186E236315FE78A7EF41ED71617E75D90D2D14FE93911E0D9344BEAF69F'
- - 'SHA256=7FB0F6FC5BDD22D53F8532CB19DA666A77A66FFB1CF3919A2E22B66C13B415B7'
- - 'SHA256=B98E008DFEA10EC74C89D08F12F31C12F52234BE6FFFF06B6B9E749BFEA6CBED'
- - 'SHA256=47DBA240967FD0088BE618163672DFBDDF0138178CCCD45B54037F622B221220'
- - 'SHA256=E7F011E9857C7DB5AACBD424612CD7E3D12C363FDC8F072DDFAF9E2E5C85F5F3'
- - 'SHA256=2FF09BB919A9909068166C30322C4E904BEFEBA5429E9A11D011297FB8A73C07'
- - 'SHA256=A69247025DD32DC15E06FEE362B494BCC6105D34B8D7091F7EC3D9000BD71501'
- - 'SHA256=F2B51FBEEAD17F5EE34D5B4A3A83C848FB76F8F0E80769212E137A7AA539A3BC'
- - 'SHA256=C8FA1EC3D03050FBC1AA677F2C0348690521291219E8D2E94F0EA9E9174B9156'
- - 'SHA256=038F39558035292F1D794B7CF49F8E751E8633DAEC31454FE85CCCBEA83BA3FB'
- - 'SHA256=AA594D977312A944B14351C075634E7C59B42687928FBCDA8E2C4CEA46686DD9'
- - 'SHA256=7F75D91844B0C162EEB24D14BCF63B7F230E111DAA7B0A26EAA489EEB22D9057'
- - 'SHA256=5958CBE6CF7170C4B66893777BDE66343F5536A98610BD188E10D47DB84BC04C'
- - 'SHA256=543C3F024E4AFFD0AAFA3A229FA19DBE7A70972BB18ED6347D3492DD174EDAC5'
- - 'SHA256=8BF958AFA751D7AB66EBB1FAE25679E6F0FDE72078AEFC09F1824EEFA526005E'
- - 'SHA256=3DE51A3102DB7297D96B4DE5B60ACA5F3A07E8577BBBED7F755F1DE9A9C38E75'
- - 'SHA256=6AD3624CA1DC38ECEEC75234E50934B1BAD7C72621DC57DEAB09044D0135877D'
- - 'SHA256=B8BF3BD441EBC5814C5D39D053FDCB263E8E58476CBDEE4B1226903305F547B6'
- - 'SHA256=AC706D9ED906B5C879F6AD59FFB56FA6BC5E1395FE9ADF7C60F7EB94D044D018'
- - 'SHA256=F34C667C0DA3CD813E60F11B67338723252BEB9BD43FC5E0C8C7265F263D2BD9'
- - 'SHA256=C7B193F92A943AFBC0EB57B23B5BE5E66F66574051BF838B6735E13733DA1809'
- - 'SHA256=841F965977F33D621D126412032C47DD6118251623C380E5572F7553B620B0E1'
- - 'SHA256=D3ECCD41C75046CA9A72AF273C132AEDED1D6572A20D1A64ED08337204B9DA83'
- - 'SHA256=FB5E65AEC819C5A91EF0CE0FEC0A957826B5E1AC9BAC559A1B4201A3870462A3'
- - 'SHA256=D402FE9EED2C0A26AAF2CB2311019FFF7004965AA2D22702974203A50A52C9B0'
- - 'SHA256=A520FF5C754A1FB62BA88399A313D0C0FB99145BA2D3D91DBF4282388B77FA84'
- - 'SHA256=2E7B3C52FE1541B51F814B82FCED59513DE249B6834B4B2C94ACD97CA889477C'
- - 'SHA256=AD44CFD9C6262A6FF36EE9D03E59BA4B0524EF87F6B980CE15ABB10A35D39F88'
- - 'SHA256=80BFD0EAD1EA54219D6A1A454242CAA6C2397FA94AF1B4E10D269B670AFDA898'
- - 'SHA256=96A5B3CD7C1A6DDA5B6F402E6C35BA535270467F56ADDC7448DBE4AA78428411'
- - 'SHA256=7F0A28CCF0AB76964D40E063F9D4B88193B77E4BADF66E8C8F87C97127885987'
- - 'SHA256=E219276A4068B1EEA5CE08F83A322845DCE4ECA89E05C71A0C2417065CE48813'
- - 'SHA256=EBFBFA7C84036A4CF0114BBB0C8017B532F37D846589AEB0004BC8B1F5F4D230'
- - 'SHA256=43B7715E38449BF82AD0BB6B11D03DA42150C1EE23148C5F396CC4AB1001622D'
- - 'SHA256=70344F2494D6B7EE4C5716E886D912447CFFE9695D2286814DC3CE0361727BBA'
- - 'SHA256=0D0962DB9DC6879067270134801AD425C1F3E85B0DC39877C02AAA9C54ACA14E'
- - 'SHA256=C1D2036235A489FDD8B3970C9EF01567443A87D17B0AD5C2A033D4C471D0ECDE'
- - 'SHA256=7018D515A6C781EA6097CA71D0F0603AD0D689F7EC99DB27FCACD492A9E86027'
- - 'SHA256=05736AB8B48DF84D81CB2CC0FBDC9D3DA34C22DB67A3E71C6F4B6B3923740DD5'
- - 'SHA256=BE0AF245444321E51F4DD8A90A19A0ABE05A060CBAD93701E23A02DF307957AE'
- - 'SHA256=D86D6732AC4D1CB41A2DCE40436B839C0DFDCEF9BA306CE5D0F97C0522ABFAC8'
- - 'SHA256=4E19D4CE649C28DD947424483796BEACE3656284FB0379D97DDDD320AA602BBC'
- - 'SHA256=EAC7316089DBAF7DF79A531355547BBDA22FA0921E31BBA0D27BCC88234E9ED3'
- - 'SHA256=B97F870C501714FA453CF18AE8A30C87D08FF1E6D784AFDBB0121AEA3DA2DC28'
- - 'SHA256=1081CCD57FD35998634103AE1E736638D82351092ACD30FE75084EA6A08CA0F7'
- - 'SHA256=A6AE7364FD188C10D6B5A729A7FF58A3EB11E7FEB0D107D18F9133655C11FB66'
- - 'SHA256=B7113B9A68E17428E2107B19BA099571AAFFC854B8FB9CBCEB79EF9E3FD1CC62'
- - 'SHA256=EB71A8ECEF692E74AE356E8CB734029B233185EE5C2CCB6CC87CC6B36BEA65CF'
- - 'SHA256=4F12EE563E7496E7105D67BF64AF6B436902BE4332033AF0B5A242B206372CB7'
- - 'SHA256=4582ADB2E67EEBAFF755AE740C1F24BC3AF78E0F28E8E8DECB99F86BF155AB23'
- - 'SHA256=8D8A5696BDF11D2427016F91F9726AFF4F0C80FADBC3E6033662FA11C8B282BD'
- - 'SHA256=F08EBDDC11AEFCB46082C239F8D97CEEA247D846E22C4BCDD72AF75C1CBC6B0B'
- - 'SHA256=12A636449A491EF3DC8688C5D25BE9EBF785874F9C4573667EEFD42139201AA4'
- - 'SHA256=7F1772BDF7DD81CB00D30159D19D4EB9160B54D7609B36F781D08CA3AFBD29A7'
- - 'SHA256=5C206B569B7059B7C32EB5FC36922CB435C2B16C8D96DE1038C8BD298ED498FE'
- - 'SHA256=C56536F99207915E5A1F7D4F014AB942BD820E64FF7F371AD0462EF26ED27242'
- - 'SHA256=0988D366572A57B3015D875B60704517D05115580678E8F2E126F771EDA28F7B'
- - 'SHA256=651FFA0C7AFF7B4A7695DDDD209DC3E7F68156E29A14D3FCC17AEF4F2A205DCC'
- - 'SHA256=7113DEE11925B346192F6EE5441974DB7D1FE9B5BE1497A6B295C06930FDD264'
- - 'SHA256=3D31118A2E92377ECB632BD722132C04AF4E65E24FF87743796C75EB07CFCD71'
- - 'SHA256=3390919BB28D5C36CC348F9EF23BE5FA49BFD81263EB7740826E4437CBE904CD'
- - 'SHA256=CB9890D4E303A4C03095D7BC176C42DEE1B47D8AA58E2F442EC1514C8F9E3CEC'
- - 'SHA256=7D8937C18D6E11A0952E53970A0934CF0E65515637AC24D6CA52CCF4B93D385F'
- - 'SHA256=FD33FB2735CC5EF466A54807D3436622407287E325276FCD3ED1290C98BD0533'
- - 'SHA256=B430D3A0BDB837A5D6625D3B1CEF07ABD1953F969869FF6CF7BA398AE605431A'
- - 'SHA256=DEC8A933DBA04463ED9BB7D53338FF87F2C23CFB79E0E988449FC631252C9DCC'
- - 'SHA256=0EBAEF662B14410C198395B13347E1D175334EC67919709AD37D65EBA013ADFF'
- - 'SHA256=221DFBC74BBB255B0879360CCC71A74B756B2E0F16E9386B38A9CE9D4E2E34F9'
- - 'SHA256=37DDE6BD8A7A36111C3AC57E0AC20BBB93CE3374D0852BCACC9A2C8C8C30079E'
- - 'SHA256=82774D5230C5B6604D6F67A32883F720B4695387F3F383AABC713FC2904FF45D'
- - 'SHA256=DDD83AF2E99C2E51F2BBBB5A1FAADF9F2DDBC3E39B086935621D6846A8530D76'
- - 'SHA256=E6D0C06DEB74F0448391F2C14A08D5C1B7D263DC444ACC5C1CF57ACFE82DA6BB'
- - 'SHA256=F05A1DF10900B05FB7211F3DADD15003FC91CFA28A08BCC6D7AFA02CD8AB3D5C'
- - 'SHA256=C174566743B47AE3C3BBB9F32D2856DE5959E06EC100B648853058EEFCDA43FA'
- - 'SHA256=3A95CC82173032B82A0FFC7D2E438DF64C13BC16B4574214C9FE3BE37250925E'
- - 'SHA256=0BB5F2EAACD64398A66D73D4617AA0C1209D483FAFCBE99E4E12CA6C024DB2EC'
- - 'SHA256=13B82D81D6EAC1A8B2E4655504DABECBD70673CDF45C244702A02F3397FDFF9A'
- - 'SHA256=8168304169A2453C0C3E0A285C2A07D3B3B83433E0342F6B33400C371AF86221'
- - 'SHA256=DFAEFD06B680F9EA837E7815FC1CC7D1F4CC375641AC850667AB20739F46AD22'
- - 'SHA256=5B9623DA9BA8E5C80C49473F40FFE7AD315DCADFFC3230AFDC9D9226D60A715A'
- - 'SHA256=72B99147839BCFB062D29014EC09FE20A8F261748B5925B00171EF3CB849A4C1'
- - 'SHA256=0391107305D76EB9DDF1A5B3B3C50DA361E8AB35B573DBD19BF9383436B9303E'
- - 'SHA256=0289FE12E675101CEE03934C1AF5CB73069A12170A88BD051E31A292B97F701B'
- - 'SHA256=708016FBE22C813A251098F8F992B177B476BD1BBC48C2ED4A122FF74910A965'
- - 'SHA256=9385E4CDABD0AEE2670FB756598EA977161F45B71687ECB9E43533081629F661'
- - 'SHA256=A3E507E713F11901017FC328186AE98E23DE7CEA5594687480229F77D45848D8'
- - 'SHA256=D25904FBF907E19F366D54962FF543D9F53B8FDFD2416C8B9796B6A8DD430E26'
- - 'SHA256=D5562FB90B0B3DEB633AB335BCBD82CE10953466A428B3F27CB5B226B453EAF3'
- - 'SHA256=DE6BF572D39E2611773E7A01F0388F84FB25DA6CBA2F1F8B9B36FFBA467DE6FA'
- - 'SHA256=FAFA1BB36F0AC34B762A10E9F327DCAB2152A6D0B16A19697362D49A31E7F566'
- - 'SHA256=C60FCFF9C8E5243BBB22EC94618B9DCB02C59BB49B90C04D7D6AB3EBBD58DC3A'
- - 'SHA256=BFCFFC82A564A2ADCD3522CD78CDF83795B6212F787230A5EA6B7EFB9F232784'
- - 'SHA256=350E15BF24DCFDC052DB117718329A03E930C17AC8C835E51D001E74BAD784E4'
- - 'SHA256=DF4E25990742FC8D3AED70F6CB4D402E111E7ED08FA5F76ACA685B8C03B98B93'
- - 'SHA256=AE79E760C739D6214C1E314728A78A6CB6060CCE206FDE2440A69735D639A0A2'
- - 'SHA256=823DA894B2C73FFCD39E77366B6F1ABF0AE9604D9B20140A54E6D55053AADEBA'
- - 'SHA256=CB57F3A7FE9E1F8E63332C563B0A319B26C944BE839EABC03E9A3277756BA612'
- - 'SHA256=146D77E80CA70EA5CB17BFC9A5CEA92334F809CBDC87A51C2D10B8579A4B9C88'
- - 'SHA256=64F9E664BC6D4B8F5F68616DD50AE819C3E60452EFD5E589D6604B9356841B57'
- - 'SHA256=FCDFE570E6DC6E768EF75138033D9961F78045ADCA53BEB6FDB520F6417E0DF1'
- - 'SHA256=E9B433A33DC72EB2622947B41F01D04A48CD71BEAC775A88F3F1E4C838090EE8'
- - 'SHA256=F8886A9C759E0426E08D55E410B02C5B05AF3C287B15970175E4874316FFAF13'
- - 'SHA256=9D58F640C7295952B71BDCB456CAE37213BACCDCD3032C1E3AEB54E79081F395'
- - 'SHA256=4A9093E8DBCB867E1B97A0A67CE99A8511900658F5201C34FFB8035881F2DBBE'
- - 'SHA256=3E9B62D2EA2BE50A2DA670746C4DBE807DB9601980AF3A1014BCD72D0248D84C'
- - 'SHA256=0FD2DF82341BF5EBB8A53682E60D08978100C01ACB0BED7B6CE2876ADA80F670'
- - 'SHA256=0DE4247E72D378713BCF22D5C5D3874D079203BB4364E25F67A90D5570BDCCE8'
- - 'SHA256=49ED27460730B62403C1D2E4930573121AB0C86C442854BC0A62415CA445A810'
- - 'SHA256=BE03E9541F56AC6ED1E81407DCD7CC85C0FFC538C3C2C2C8A9C747EDBCF13100'
- - 'SHA256=D7BC7306CB489FE4C285BBEDDC6D1A09E814EF55CF30BD5B8DAF87A52396F102'
- - 'SHA256=258359A7FA3D975620C9810DAB3A6493972876A024135FEAF3AC8482179B2E79'
- - 'SHA256=455BC98BA32ADAB8B47D2D89BDBADCA4910F91C182AB2FC3211BA07D3784537B'
- - 'SHA256=15C53EB3A0EA44BBD2901A45A6EBEAE29BB123F9C1115C38DFB2CDBEC0642229'
- - 'SHA256=4CFF6E53430B81ECC4FAE453E59A0353BCFE73DD5780ABFC35F299C16A97998E'
- - 'SHA256=4941C4298F4560FC1E59D0F16F84BAB5C060793700B82BE2FD7C63735F1657A8'
- - 'SHA256=8111085022BDA87E5F6AA4C195E743CC6DD6A3A6D41ADD475D267DC6B105A69F'
- - 'SHA256=CC383AD11E9D06047A1558ED343F389492DA3AC2B84B71462AEE502A2FA616C8'
- - 'SHA256=E94E8A87459DB56837D1C58F9854794AA99F36566A9DED9B398BE9D4D3A2C2AF'
- - 'SHA256=44A0599DEFEA351314663582DBC61069B3A095A4DDAD571BB17DD0D8B21E7FF2'
- - 'SHA256=84DF20B1D9D87E305C92E5FFAE21B10B325609D59D835A954DBD8750EF5DABF4'
- - 'SHA256=36875562E747136313EC5DB58174E5FAB870997A054CA8D3987D181599C7DB6A'
- - 'SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6'
- - 'SHA256=63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0'
- - 'SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406'
- - 'SHA256=04e88b7717aadc6b56dfa006b9414fc2c899c398d7e003627770e07fed52edfd'
- - 'SHA256=4a229ab274e364df92cc46ecbc9faab32f7b0955dab982658313f2faf9410863'
- - 'SHA256=659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9'
- - 'SHA256=6c856c3c315c0f213684045da3203692c07c3da5df755155fd8b128fb447c437'
- - 'SHA256=8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870'
- - 'SHA256=9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89'
- - 'SHA256=a3e8ea5e593176f9e66c17f6a200fa665c7ef409c97f49aadf5a55ad6b0be97e'
- - 'SHA256=a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4'
- - 'SHA256=b16c3ed44cd04b033621ada7f9ab89d830949b3c9dc26999d862ddbeb7cc5a86'
- - 'SHA256=bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a'
- - 'SHA256=bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7'
- - 'SHA256=cb8e536680732b474a5c26970ace2087667622caa3dd82c1c56731a7c5a1c8ce'
- - 'SHA256=d0a03a8905c4f695843bc4e9f2dd062b8fd7b0b00103236b5187ff3730750540'
- - 'SHA256=d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe'
- - 'SHA256=e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37'
- - 'SHA256=f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca'
+ - 'SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad'
+ - 'SHA1=745bad097052134548fe159f158c04be5616afc2'
+ - 'SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754'
+ - 'SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce'
+ - 'SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d'
+ - 'SHA1=ac13941f436139b909d105ad55637e1308f49d9a'
+ - 'SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b'
+ - 'SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1'
+ - 'SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809'
+ - 'SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387'
+ - 'SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1'
+ - 'SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee'
+ - 'SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3'
+ - 'SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0'
+ - 'SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1'
+ - 'SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4'
+ - 'SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d'
+ - 'SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd'
+ - 'SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9'
+ - 'SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312'
+ - 'SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643'
+ - 'SHA1=27eab595ec403580236e04101172247c4f5d5426'
+ - 'SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8'
+ - 'SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c'
+ - 'SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef'
+ - 'SHA1=9c256edd10823ca76c0443a330e523027b70522d'
+ - 'SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e'
+ - 'SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0'
+ - 'SHA1=054a50293c7b4eea064c91ef59cf120d8100f237'
+ - 'SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2'
+ - 'SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e'
+ - 'SHA1=14bf0eaa90e012169745b3e30c281a327751e316'
+ - 'SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79'
+ - 'SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08'
+ - 'SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614'
+ - 'SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a'
+ - 'SHA1=879fcc6795cebe67718388228e715c470de87dca'
+ - 'SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a'
+ - 'SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67'
+ - 'SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03'
+ - 'SHA1=a7bd05de737f8ea57857f1e0845a25677df01872'
+ - 'SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e'
+ - 'SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3'
+ - 'SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc'
+ - 'SHA1=d62fa51e520022483bdc5847141658de689c0c29'
+ - 'SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9'
+ - 'SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b'
+ - 'SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd'
+ - 'SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be'
+ - 'SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646'
+ - 'SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b'
+ - 'SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60'
+ - 'SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430'
+ - 'SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b'
+ - 'SHA1=0b8b83f245d94107cb802a285e6529161d9a834d'
+ - 'SHA1=c969f1f73922fd95db1992a5b552fbc488366a40'
+ - 'SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451'
+ - 'SHA1=da9cea92f996f938f699902482ac5313d5e8b28e'
+ - 'SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53'
+ - 'SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260'
+ - 'SHA1=f052dc35b74a1a6246842fbb35eb481577537826'
+ - 'SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf'
+ - 'SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e'
+ - 'SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15'
+ - 'SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2'
+ - 'SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939'
+ - 'SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e'
+ - 'SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1'
+ - 'SHA1=7fb52290883a6b69a96d480f2867643396727e83'
+ # The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
+ - 'SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab'
+ - 'SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2'
+ - 'SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d'
+ - 'SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299'
+ - 'SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c'
+ - 'SHA1=fe10018af723986db50701c8532df5ed98b17c39'
+ - 'SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b'
+ - 'SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347'
+ - 'SHA1=82ba5513c33e056c3f54152c8555abf555f3e745'
+ - 'SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa'
+ - 'SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4'
+ - 'SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436'
+ - 'SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891'
+ - 'SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748'
+ - 'SHA1=c771ea59f075170e952c393cfd6fc784b265027c'
+ - 'SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1'
+ - 'SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b'
+ - 'SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04'
+ # The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c
+ - 'SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89'
+ - 'SHA1=15df139494d2c40a645fb010908551185c27f3c5'
+ - 'SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de'
+ - 'SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75'
+ - 'SHA1=490109fa6739f114651f4199196c5121d1c6bdf2'
+ - 'SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5'
+ - 'SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de'
+ - 'SHA1=3f223581409492172a1e875f130f3485b90fbe5f'
+ - 'SHA1=5db61d00a001fd493591dc919f69b14713889fc5'
+ # https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
+ - 'SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f'
+ - 'SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370'
+ - 'SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c'
+ - 'SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676'
+ - 'SHA1=c6bd965300f07012d1b651a9b8776028c45b149a'
+ - 'SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f'
+ - 'SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1'
+ - 'SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9'
+ - 'SHA1=dc55217b6043d819eadebd423ff07704ee103231'
+ - 'SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4'
+ - 'SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f'
+ - 'SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab'
+ - 'SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63'
+ - 'SHA1=c6d349823bbb1f5b44bae91357895dba653c5861'
+ - 'SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2'
+ - 'SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825'
+ - 'SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d'
+ - 'SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6'
+ - 'SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162'
+ - 'SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb'
+ - 'SHA1=29a190727140f40cea9514a6420f5a195e36386b'
+ - 'SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77'
+ - 'SHA1=7667b72471689151e176baeba4e1cd9cd006a09a'
+ - 'SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5'
+ - 'SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8'
+ - 'SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e'
+ - 'SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403'
+ - 'SHA1=d702d88b12233be9413446c445f22fda4a92a1d9'
+ - 'SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1'
+ - 'SHA1=643383938d5e0d4fd30d302af3e9293a4798e392'
+ - 'SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07'
+ # The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver
+ # These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules
+ - 'SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816'
+ - 'SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e'
+ - 'SHA1=166759fd511613414d3213942fe2575b926a6226'
+ - 'SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4'
+ - 'SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca'
+ - 'SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8'
+ - 'SHA1=4de33d03fee52f396a1c788000ca868d56ac30de'
+ - 'SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0'
+ - 'SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d'
+ - 'SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1'
+ - 'SHA1=943593e880b4d340f2548548e6e673ef6f61eed3'
+ - 'SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd'
+ - 'SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28'
+ - 'SHA1=aa2ea973bb248b18973e57339307cfb8d309f687'
+ - 'SHA1=3a5d176c50f97b71d139767ed795d178623f491d'
+ - 'SHA1=25d812a5ece19ea375178ef9d60415841087726e'
+ - 'SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07'
+ - 'SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0'
+ - 'SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02'
+ - 'SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c'
+ - 'SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a'
+ - 'SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed'
+ - 'SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b'
+ - 'SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d'
+ - 'SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef'
+ - 'SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001'
+ - 'SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c'
+ - 'SHA1=9401389fba314d1810f83edce33c37e84a78e112'
+ - 'SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371'
+ - 'SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7'
+ - 'SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0'
+ - 'SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4'
+ - 'SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2'
+ - 'SHA1=38571f14fc014487194d1eecfa80561ee8644e09'
+ - 'SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2'
+ - 'SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8'
+ - 'SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba'
+ - 'SHA1=4c18754dca481f107f0923fb8ef5e149d128525d'
+ - 'SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f'
+ - 'SHA1=cde32654a041fedc7b0fa1083f6005b950760062'
+ - 'SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a'
+ - 'SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332'
+ - 'SHA1=4f7a8e26a97980544be634b26899afbefb0a833c'
+ # The list below is from https://github.com/namazso/physmem_drivers
+ - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748'
+ - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA'
+ - 'SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA'
+ - 'SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F'
+ - 'SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414'
+ - 'SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D'
+ - 'SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA'
+ - 'SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00'
+ - 'SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E'
+ - 'SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7'
+ - 'SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602'
+ - 'SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8'
+ - 'SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A'
+ - 'SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4'
+ - 'SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4'
+ - 'SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C'
+ - 'SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B'
+ - 'SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A'
+ - 'SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9'
+ - 'SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB'
+ - 'SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC'
+ - 'SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF'
+ - 'SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A'
+ - 'SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3'
+ - 'SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5'
+ - 'SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB'
+ - 'SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94'
+ - 'SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0'
+ - 'SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F'
+ - 'SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C'
+ - 'SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8'
+ - 'SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4'
+ - 'SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303'
+ - 'SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469'
+ - 'SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B'
+ - 'SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E'
+ - 'SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608'
+ - 'SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685'
+ - 'SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71'
+ - 'SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2'
+ - 'SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293'
+ - 'SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57'
+ - 'SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A'
+ - 'SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A'
+ - 'SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659'
+ - 'SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA'
+ - 'SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2'
+ - 'SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7'
+ - 'SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57'
+ - 'SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92'
+ - 'SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184'
+ - 'SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457'
+ - 'SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A'
+ - 'SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4'
+ - 'SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F'
+ - 'SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8'
+ - 'SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165'
+ - 'SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E'
+ - 'SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A'
+ - 'SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C'
+ - 'SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653'
+ - 'SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028'
+ - 'SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3'
+ - 'SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D'
+ - 'SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5'
+ - 'SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3'
+ - 'SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955'
+ - 'SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339'
+ - 'SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25'
+ - 'SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0'
+ - 'SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357'
+ - 'SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21'
+ - 'SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D'
+ - 'SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF'
+ - 'SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B'
+ - 'SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4'
+ - 'SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097'
+ - 'SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6'
+ - 'SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD'
+ - 'SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492'
+ - 'SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1'
+ - 'SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558'
+ - 'SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6'
+ - 'SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219'
+ - 'SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE'
+ - 'SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250'
+ - 'SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB'
+ - 'SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5'
+ - 'SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A'
+ - 'SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E'
+ - 'SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3'
+ - 'SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5'
+ - 'SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005'
+ - 'SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793'
+ - 'SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7'
+ - 'SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52'
+ - 'SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3'
+ - 'SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4'
+ - 'SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57'
+ - 'SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94'
+ - 'SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE'
+ - 'SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B'
+ - 'SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7'
+ - 'SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8'
+ - 'SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1'
+ - 'SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449'
+ - 'SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499'
+ - 'SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526'
+ - 'SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D'
+ - 'SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B'
+ - 'SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB'
+ - 'SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B'
+ - 'SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889'
+ - 'SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530'
+ - 'SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482'
+ - 'SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1'
+ - 'SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A'
+ - 'SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA'
+ - 'SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0'
+ - 'SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D'
+ - 'SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03'
+ - 'SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C'
+ - 'SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008'
+ - 'SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC'
+ - 'SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004'
+ - 'SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D'
+ - 'SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB'
+ - 'SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA'
+ - 'SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980'
+ - 'SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099'
+ - 'SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C'
+ - 'SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E'
+ - 'SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8'
+ - 'SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84'
+ # The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
+ - 'SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b'
+ - 'SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790'
+ - 'SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22'
+ - 'SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44'
+ - 'SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8'
+ - 'SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009'
+ - 'SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df'
+ - 'SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead'
+ - 'SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16'
+ - 'SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7'
+ - 'SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5'
+ - 'SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495'
- 'SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'
- - 'SHA256=ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
- - 'SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
+ - 'SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c'
+ - 'SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427'
+ # The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c
+ - 'SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4'
+ - 'SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6'
+ - 'SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062'
+ - 'SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b'
+ - 'SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece'
+ - 'SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374'
+ - 'SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50'
+ - 'SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6'
+ - 'SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e'
+ # https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
+ - 'SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc'
+ - 'SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d'
+ - 'SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65'
+ - 'SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347'
+ - 'SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9'
+ - 'SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219'
+ - 'SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8'
+ - 'SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813'
+ - 'SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a'
+ - 'SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f'
+ - 'SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc'
+ - 'SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de'
+ - 'SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073'
+ - 'SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890'
+ - 'SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0'
+ - 'SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200'
+ - 'SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf'
+ - 'SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2'
+ - 'SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173'
+ - 'SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6'
+ - 'SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8'
+ - 'SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508'
+ - 'SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3'
+ - 'SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52'
+ - 'SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129'
+ - 'SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993'
+ - 'SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d'
+ - 'SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd'
+ - 'SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35'
+ - 'SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33'
+ - 'SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29'
+ # The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver
+ # These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules
+ - 'SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838'
+ - 'SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b'
+ - 'SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82'
+ - 'SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7'
+ - 'SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038'
+ - 'SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89'
+ - 'SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e'
+ - 'SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3'
+ - 'SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6'
+ - 'SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89'
+ - 'SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf'
+ - 'SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea'
+ - 'SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5'
+ - 'SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a'
+ - 'SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f'
+ - 'SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3'
+ - 'SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003'
+ - 'SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7'
+ - 'SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498'
+ - 'SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22'
+ - 'SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4'
+ - 'SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c'
+ - 'SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53'
+ - 'SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de'
+ - 'SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330'
+ - 'SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46'
+ - 'SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347'
+ - 'SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026'
+ - 'SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15'
+ - 'SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91'
+ - 'SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf'
+ - 'SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c'
+ - 'SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64'
+ - 'SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59'
+ - 'SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6'
+ - 'SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b'
+ - 'SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9'
+ - 'SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351'
+ - 'SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5'
+ - 'SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c'
+ - 'SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b'
+ - 'SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05'
+ - 'SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433'
selection_other:
- SHA1:
- - '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77'
- - '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346'
- - '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f'
- - '55ab7e27412eca433d76513edc7e6e03bcdd7eda'
- - '1e7c241b9a9ea79061b50fb19b3d141dee175c27'
- - 'e5c090903a20744ba3583a8ea684d035e8cecc34'
- - 'ca5ff4eb8ccbde4eff3491fd7941769e8d093d79'
- - 'c92148d0666f2235500805975be79738b84e48c2'
- - 'f8270f774b3549079ea7d5f0d5406f307019bdfb'
- - '61e1b497a5df0797527d6d465a8f315a82ad35eb'
- - '708855db4202a792862e1139d673c3b4b713053c'
- - '2e6d61fa32e12fe4abf7b7d87aa6824f5f528000'
- - '5f9c7d3552ffa98c9dcf9a9b7ad1263d2ab24a2f'
- - '55a90e7822a1444fae81371df7296cc5642fb353'
- - '085529e58be3806d396f1bb15ff078fd4c471aab'
- - 'd0580bfc31faefb7e017798121c5b8a4e68155f9'
- - 'b419d69a4ed8d4eabd90a155ed15c3374bea6ffc'
- - '4bfe9e5a5a25b7cde6c81ebe31ed4abeb5147faf'
- - 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410'
- - '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c'
- - 'b3410021ea5a46818d9ff05a96c2809a9abe8e4a'
- - '490f85e291c4d9ed0ab8457ce6b424c0f3f7e7ac'
- - 'c28b640beca5e2834d2a373f139869cc309f6631'
- - '282bb241bda5c4c1b8eb9bf56d018896649ca0e1'
- - '8cc8974a05e81678e3d28acfe434e7804abd019c'
- - 'e09b5e80805b8fe853ea27d8773e31bff262e3f7'
- - 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b'
- - '50e2bc41f0186fdce970b80e2a2cb296353af586'
- - '485c0b9710a196c7177b99ee95e5ddb35b26ddd1'
- - '1d1cafc73c97c6bcd2331f8777d90fdca57125a3'
- - '69006fbbd1b150fb9404867a5bcdc04fe0fc1bad'
- - '4eae38e9dc262eb7b6ede4b3d3f4ad068933845e'
- - '51e0740aaee5ae76b0095c92908c97b817db8bea'
- - 'd99b80b3269d735cac43af5e43483e64ca7961c3'
- - 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec'
- - '4789b910023a667bee70ff1f1a8f369cffb10fe8'
- - '7838fb56fdab816bc1900a4720eea2fc9972ef7a'
- - '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4'
- - 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab'
- - '08596732304351b311970ff96b21f451f23b1e25'
- - 'bc2f3850c7b858340d7ed27b90e63b036881fd6c'
- - 'e74b6dda8bc53bc687fc21218bd34062a78d8467'
- - '2c27abbbbcf10dfb75ad79557e30ace5ed314df8'
- - 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326'
- - '8241c9a5755a740811c8e8d2739b33146acd3e6d'
- - '4b8c0445075f09aeef542ab1c86e5de6b06e91a3'
- - 'e014c6bebfda944ce3a58ab9fe055d4f9367d49c'
- - 'e5a152bb57060c2b27e825258698bd7ff67907ff'
- - 'aca8e53483b40a06dfdee81bb364b1622f9156fe'
- - '83767982b3a5f70615a386f4d6638f20509f3560'
- - '8f0b99b53eb921547afecf1f12b3299818c4e5d1'
- - '295e590d49df717c489c5c824e9c6896a14248bb'
- - '7a43be821832e9bf55b1b781ae468179d0e4f56e'
- - '05ac1c64ca16ab0517fe85d4499d08199e63df26'
- - '4bbb9709d5f916fe78eaa15431f622761efc496f'
- - '150f5dae8716b09a64cac96862f5e2506a71e771'
- - '3debe170b5a113407f9e86ee6ed9ae00c3d82c9f'
- - '73857acdd7d7c9235f3e18c503a27e7c88c5fcb0'
- - '8bc75e18953b7b23991b2fbc79713e1e175f75e4'
- - 'a2da5c397f737fa55d8f93d3ced5eb70ae09801f'
- - 'c58b6ef848ca87ad9ec4368c45c8f1eb7fa6bd16'
- - '74cbc407acd9d2a4bc609b2f8c9a09b90912d10c'
- - '1923d1f21faffcd7d511e2b313fe9415e6ad90ae'
- - 'f3e60b7b9c53315d6158f82596919209a00e1cda'
- - 'aa97bf43e6bad521f3a3d8081fb350c89382f06f'
- - '4604a20cae2dfe42320fe8f6aed000ec204efa7e'
- - '60a632e4b838731aad553650d6bc8af3d3d80b26'
- - '03f0dd3124ec3a4bb6d30865a488f54e74ded699'
- - '8a50e81d6e6c45410bf13f95b1a67cada8c82221'
- - '83660d245fe618ecafe4900ac1e2ad0292c2da2a'
- - '202d5a05e546740037f9a4dc2b21f71680c39d3b'
- - '7c1ba790ca2aa03f30413d02f3a812fcca1ab29f'
- - '969a945c93f54fcbf17548903131d4b86042df7b'
- - '64309db7af8665368636186805745126b8bd5bfe'
- - '1f7804d9185b1910c43bd4104d58b96994ff8e49'
- - '2a506e2512c9083419b7741b4499e012cdc60204'
- - '1236573a309c4edb52e050e53e73188183c23e7e'
- - '22c5e127e7e7c567d8624607a6f8f5809deacb55'
- - 'dc38cc55b84a1a7c0846fb5509b43b4ff97a9be6'
- - 'aa937f73a8afcda98e868f4aeeb0eb81a4150075'
- - '481488488cf7bb5cd470b62600a3570a1711abaa'
- - 'c58bebef6a92f5a5b37be0394695e8e18a42867f'
- - '7aa2c4c51afc1c82beae55ab9ca7ba0bb588b5c0'
- - 'fd081f7a372b939db8523e222d118b87450d3d19'
- - 'e343aa3981393778f32df94efac90fe35d6933a9'
- - '002223fddc5658ea22b7a8979984a9b54f63b316'
- - '1cf3b0a2a0b47477a840adc2b520401e18af16d6'
- - 'f50b475d5fd1ed4f866bf43342676e449f779c67'
- - 'c4fe0cbb8da5bf1e02ec6d7a0f97d740955ddd97'
- - '3ae56ab63230d6d9552360845b4a37b5801cc5ea'
- - 'b04ecc8dd0d52fe4552d2c4d693d67fae20c460f'
- - '710bba7c3d6cac7b62ab05e6b12274d1548985e6'
- - '67650bc9cdf0716bc7b5664723c38fc5327ec662'
- - '39f934078a060bad2d58b5dba8f8884903d697a7'
- - 'cec5447d0529f97c4bf4a012ea58aab07139ffe0'
- - '0d523e8b0b96675ac2e5ac0d56c367564b260545'
- - '69d6b4032f1456506382885eba5b396f1c36841b'
- - '738cf0afb7ecdf35a92667c8802d512a0caf353c'
- - 'ec7947ad1919c8f60bc973b96da4132a1ea396e0'
- - 'd85c6097a2279301222b6a06b93296ace669a76d'
- - '61258963d900c2a39408ef4b51f69f405f55e407'
- - '8403a17ae001fef3488c2e641e2be553cd5b478d'
- - '0ce54b617de11c24670064960b736ef9c47a5f15'
- - '82f8d4ba137fa4b0da20e8cd1968a7aaea803dbc'
- - '00b4fdc0f7f28ddecd5b4e5880a71e7f08b5f825'
- - '3c20bb896fd16b5c698185fb176e820a448997b3'
- - '6a784d45517142c11d5cca3ff9956b2ed6eaf4c9'
- - '4e5e719362cd48bb323803c1d00afde11d4b9d4c'
- - 'fd8a340cd071bc98e6eeac9bbd4ac8a78688bc17'
- - '560d8869d48a71e59601b76240e9a6cffb068c9c'
- - '2a95f882dd9bafcc57f144a2708a7ec67dd7844c'
- - 'c9cc3779ed67755220dbf9592ec2ac0e1de363dc'
- - 'b0ec7d971da8ae84c0ed8f88a5d46b23996e636c'
- - '6980122aef4e2d5d7a6dddb6da76a166c460e0a1'
- - 'da21f5889f8374c3961856d681adec3d663d2964'
- - 'c5057a4fd3c9b58f4c9ab9fe356081df8804bf98'
- - 'fc5f231383fe72e298893010a9a3714b205c4110'
- - '3281135748c9c7a9ddace55c648c720af810475f'
- - '26c398b86fd33b3e6c4348f780c4cf758c99c8fd'
- - '5107438a02164e1bcedd556a786f37f59cd04231'
- - '316e7872a227f0ead483d244805e9ff4d3569f6f'
- - '588a9f349e520aa5ac5bd650b75345419b28ae85'
- - '66941573dafd7259cba113c0fa9eaccd347355fd'
- - 'c3596085c90d81c2c51a75558211ad44c853c358'
- - '02a7e085631ecfe031b76afa883a266c850ed61b'
- - '6bd3ab2e730561f7d1385dcfef81c1fa67398c8c'
- - '8b86e08d610bcc9ab7b7750f036dbb568f733be0'
- - '179601e33b5ae4e2ea13f34fd084b1fcbd56fbce'
- - 'dcdb7bf7e237b9bda190f60e386a49a7c3494f8d'
- - 'e8f7e20061f9cc20583dcab3b16054d106b8aa83'
- - '36875a862d1e762e6cc75595ef37ea7460a1e1df'
- - 'b423ca58603513b5d3a9669736d5e13c353fd6f9'
- - 'ae806ca05e141b71664d9c6f20cc2369ef26f996'
- - 'd0559503988daa407fcc11e59079560cb456bb84'
- - '0cb0fd5bea730e4eaaec1426b0c15376ccac6d83'
- - 'd4e21c205de75cde70cd73c52c646e1e5d333a35'
- - '7e732acb7cfad9ba043a9350cdeff25d742becb8'
- - 'cde1a50e1df7870f8e4afd8631e45a847c714c0a'
- - '07660d1867e20be0212a96cba6b5fe6be7776eaf'
- - 'b2cd3a63d04eae427bede6c6fe8facba91ececbf'
- - '877c6c36a155109888fe1f9797b93cb30b4957ef'
- - 'a7d827a41b2c4b7638495cd1d77926f1ba902978'
- - '0c2599d738d01a82ec91725f499acebbcfb47cc9'
- - 'c978063e678233c5efb8f002fef000fd479cc632'
- - '3c9f40ac72b0202cb40627fdeb7298079187193a'
- - '6e7d8abf7f81a2433f27b052b3952efc4b9cc0b1'
- - 'e3dbe2aa03847df621591a4cad69a5609de5c237'
- - 'f3821ec0aef270f749df9f44fba91afa5c8c38e8'
- - '12eb825418a932b1e4c6697dc7647e89ae52cf3f'
- - '497afeb0d5b97d4b863704a2f77ffef31220402d'
- - '706686f2a1ef4738a1856d01ab10eb730fc7b327'
- - '05e20d0274a4fcc5368f25c62174003a555917e7'
- - 'ebf8c7dc8292950acc260a0e473678ae3c56b210'
- - '0d1dc447860dc9b9b7fa278ff16120e14064517c'
- - 'fca1ee04be5d7752a1ad717a6aac9c143c5c8bcd'
- - 'a14331f63ec907bf3e472f1e0cb8f19de06ef4e4'
- - '8ec43d1def8bb20354aeba49a9084bacd2c02817'
- - '708ead1221fb176aa9594f9e0aa7f783704fb962'
- - 'f1bdd3236f43338a119d74eca730f0d464ded973'
- - '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3'
- - 'f023177aca17f6dc90fdd9588240cb16c70a9fe2'
- - '8788f4b39cbf037270904bdb8118c8b037ee6562'
- - '8b860c5d34254290769d40d703625f774c213e00'
- - '6a8c00b703a5d6b8c82878628978db9bf282d6ae'
- - '8fa3636a7697f953d7daa02a313981b9e3bc98e4'
- - '125ea078bc3cc79b34bec8141391acaf2d69ffe2'
- - '7cb3ea53660dbc1b4fe12e0c03c7bfea0a3c92a2'
- - '70d5b0be6ed51e43c0a19b773cead8793257bbc1'
- - '4a4609839b846f384f1b6f3a9a945bf3119d2f9c'
- - '04e8a8d30869cf60ad42825667224d5cd01ade15'
- - 'f5bf9d483e0a204e7ff59fc092b4e580951802ca'
- - '8b04023990d18dcd5cc4c5538b332b017f3962fc'
- - '73338b8931a3c265e8b544fa17de3056a3e56b59'
- - '657a875554b075eb7f2d314bbbe967c789624b30'
- - '0e23cd5f100a035bd5ad521a6ad40454fda084c7'
- - 'aee092fd31772d33932a7a02dd2d73ede67f7db0'
- - '118f688c30a2f6c2d1feb955f53ce4acf3086b3b'
- - '4ede7f018c317ddc6a5f8f935f917621668cb1ec'
- - 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775'
- - '10b30bdee43b3a2ec4aa63375577ade650269d25'
+ # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT
+ - '2261198385d62d2117f50f631652eded0ecc71db'
+ - '8db869c0674221a2d3280143cbb0807fac08e0cc'
+ - '27d3ebea7655a72e6e8b95053753a25db944ec0f'
+ - '33cdab3bbc8b3adce4067a1b042778607dce2acd'
+ - '21e6c104fe9731c874fab5c9560c929b2857b918'
+ - 'd979353d04bf65cc92ad3412605bc81edbb75ec2'
+ - '2f991435a6f58e25c103a657d24ed892b99690b8'
+ - 'f02af84393e9627ba808d4159841854a6601cf80'
+ - 'bb962c9a8dda93e94fef504c4159de881e4706fe'
+ - 'b97a8d506be2e7eaa4385f70c009b22adbd071ba'
+ - '92f251358b3fe86fd5e7aa9b17330afa0d64a705'
+ - '8b6aa5b2bff44766ef7afbe095966a71bc4183fa'
+ - 'af6e1f2cfb230907476e8b2d676129b6d6657124'
+ - 'fcde5275ee1913509927ce5f0f85e6681064c9d2'
+ - '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b'
+ - '6523b3fd87de39eb5db1332e4523ce99556077dc'
+ - '72966ca845759d239d09da0de7eebe3abe86fee3'
+ - '57511ef5ff8162a9d793071b5bf7ebe8371759de'
+ - '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7'
+ - '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e'
+ - '89cd760e8cb19d29ee08c430fb17a5fd4455c741'
+ - '1d0df45ee3fa758f0470e055915004e6eae54c95'
+ - 'd5fd9fe10405c4f90235e583526164cd0902ed86'
+ - 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65'
+ - '609fa1efcf61e26d64a5ceb13b044175ab2b3a13'
+ - '7d7c03e22049a725ace2a9812c72b53a66c2548b'
+ - 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb'
+ - '468e2e5505a3d924b14fedee4ddf240d09393776'
+ - '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8'
+ - 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f'
+ - '078ae07dec258db4376d5a2a05b9b508d68c0123'
+ - '623cd2abef6c92255f79cbbd3309cb59176771da'
+ - '1f3a9265963b660392c4053329eb9436deeed339'
+ - '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c'
+ - 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d'
+ - '4268f30b79ce125a81d0d588bef0d4e2ad409bbb'
+ - 'c834c4931b074665d56ccab437dfcc326649d612'
+ - '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c'
+ - '51b60eaa228458dee605430aae1bc26f3fc62325'
+ - '3270720a066492b046d7180ca6e60602c764cac7'
+ - '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131'
+ - '19bd488fe54b011f387e8c5d202a70019a204adf'
+ - 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e'
+ - 'ea877092d57373cb466b44e7dbcad4ce9a547344'
+ - '205c69f078a563f54f4c0da2d02a25e284370251'
+ - 'f9feb60b23ca69072ce42264cd821fe588a186a6'
+ - 'b25170e09c9fb7c0599bfba3cf617187f6a733ac'
+ - '160c96b5e5db8c96b821895582b501e3c2d5d6e7'
+ - 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843'
+ - '4e826430a1389032f3fe06e2cc292f643fb0c417'
+ - '7ab4565ba24268f0adadb03a5506d4eb1dc7c181'
+ - 'dc7b022f8bd149efbcb2204a48dce75c72633526'
+ - '0307d76750dd98d707c699aee3b626643afb6936'
+ - '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a'
+ - '6714380bc0b8ab09b9a0d2fa66d1b025b646b946'
+ - '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d'
+ - '30a224b22592d952fbe2e6ad97eda4a8f2c734e0'
+ - 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe'
+ - 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0'
+ - 'b4d1554ec19504215d27de0758e13c35ddd6db3e'
+ - '5dd2c31c4357a8b76db095364952b3d0e3935e1d'
+ - 'ecb4d096a9c58643b02f328d2c7742a38e017cf0'
+ - '4a705af959af61bad48ef7579f839cb5ebd654d2'
+ - 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57'
- 'c948ae14761095e4d76b55d9de86412258be7afd'
+ - 'ddbe809b731a0962e404a045ab9e65a0b64917ad'
+ - '745bad097052134548fe159f158c04be5616afc2'
+ - '8d59fd14a445c8f3f0f7991fa6cd717d466b3754'
+ - '2dfcb799b3c42ecb0472e27c19b24ac7532775ce'
+ - 'cc51be79ae56bc97211f6b73cc905c3492da8f9d'
+ - 'ac13941f436139b909d105ad55637e1308f49d9a'
+ - '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b'
+ - 'cc0e0440adc058615e31e8a52372abadf658e6b1'
+ - '5520ac25d81550a255dc16a0bb89d4b275f6f809'
+ - '6afc6b04cf73dd461e4a4956365f25c1f1162387'
+ - '4b009e91bae8d27b160dc195f10c095f8a2441e1'
+ - '6003184788cd3d2fc624ca801df291ccc4e225ee'
+ - '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3'
+ - 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0'
+ - '89909fa481ff67d7449ee90d24c167b17b0612f1'
+ - 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4'
+ - '5e6ddd2b39a3de0016385cbd7aa50e49451e376d'
+ - '976777d39d73034df6b113dfce1aa6e1d00ffcfd'
+ - '9c6749fc6c1127f8788bff70e0ce9062959637c9'
+ - '53acd4d9e7ba0b1056cf52af0d191f226eddf312'
+ - '3abb9d0a9d600200ae19c706e570465ef0a15643'
+ - '27eab595ec403580236e04101172247c4f5d5426'
+ - '78b9481607ca6f3a80b4515c432ddfe6550b18a8'
+ - '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c'
+ - 'd9c09dd725bc7bc3c19b4db37866015817a516ef'
+ - '9c256edd10823ca76c0443a330e523027b70522d'
+ - '35829e096a15e559fcbabf3441d99e580ca3b26e'
+ - 'b8de3a1aeeda9deea43e3f768071125851c85bd0'
+ - '054a50293c7b4eea064c91ef59cf120d8100f237'
+ - 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2'
+ - '01a578a3a39697c4de8e3dab04dba55a4c35163e'
+ - '14bf0eaa90e012169745b3e30c281a327751e316'
+ - 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79'
+ - '6100eb82a25d64a7a7702e94c2b21333bc15bd08'
+ - 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614'
+ - '28b1c0b91eb6afd2d26b239c9f93beb053867a1a'
+ - '879fcc6795cebe67718388228e715c470de87dca'
+ - '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a'
+ - '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67'
+ - '5f8356ffa8201f338dd2ea979eb47881a6db9f03'
+ - 'a7bd05de737f8ea57857f1e0845a25677df01872'
+ - 'cce9b82f01ec68f450f5fe4312f40d929c6a506e'
+ - 'e35a2b009d54e1a0b231d8a276251f64231b66a3'
+ - '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc'
+ - 'd62fa51e520022483bdc5847141658de689c0c29'
+ - '93aa3bb934b74160446df3a47fa085fd7f3a6be9'
+ - 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b'
+ - '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd'
+ - '3805e4e08ad342d224973ecdade8b00c40ed31be'
+ - '65d8a7c2e867b22d1c14592b020c548dd0665646'
+ - 'c8d87f3cd34c572870e63a696cf771580e6ea81b'
+ - 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60'
+ - 'd34a7c497c603f3f7fcad546dc4097c2da17c430'
+ - '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b'
+ - '0b8b83f245d94107cb802a285e6529161d9a834d'
+ - 'c969f1f73922fd95db1992a5b552fbc488366a40'
+ - 'ac600a2bc06b312d92e649b7b55e3e91e9d63451'
+ - 'da9cea92f996f938f699902482ac5313d5e8b28e'
+ - '33285b2e97a0aeb317166cce91f6733cf9c1ad53'
+ - '21edff2937eb5cd6f6b0acb7ee5247681f624260'
+ - 'f052dc35b74a1a6246842fbb35eb481577537826'
+ - 'f0c463d29a5914b01e4607889094f1b7d95e7aaf'
+ - '0c26ab1299adcd9a385b541ef1653728270aa23e'
+ - 'f36a47edfacd85e0c6d4d22133dd386aee4eec15'
+ - '460008b1ffd31792a6deadfa6280fb2a30c8a5d2'
+ - '738b7918d85e5cb4395df9e3f6fc94ddad90e939'
+ - '43419df1f9a07430a18c5f3b3cc74de621be0f8e'
+ - '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1'
+ - '7fb52290883a6b69a96d480f2867643396727e83'
+ # The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
+ - 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab'
+ - '693a2645c28fc3b248fda95179c36c3ac64f6fc2'
+ - '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d'
+ - 'd25340ae8e92a6d29f599fef426a2bc1b5217299'
+ - '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c'
+ - 'fe10018af723986db50701c8532df5ed98b17c39'
+ - 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b'
+ - 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347'
+ - '82ba5513c33e056c3f54152c8555abf555f3e745'
+ - 'd098600152e5ee6a8238d414d2a77a34da8afaaa'
+ - '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4'
+ - 'bbc1e5fd826961d93b76abd161314cb3592c4436'
+ - '90a76945fd2fa45fab2b7bcfdaf6563595f94891'
+ - 'b03b1996a40bfea72e4584b82f6b845c503a9748'
+ - 'c771ea59f075170e952c393cfd6fc784b265027c'
+ - 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1'
+ - '0918277fcdc64a9dc51c04324377b3468fa1269b'
+ - 'b09bcc042d60d2f4c0d08284818ed198cededa04'
+ # The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c
+ - '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89'
+ - '15df139494d2c40a645fb010908551185c27f3c5'
+ - '012db3a80faf1f7f727b538cbe5d94064e7159de'
+ - 'd04e5db5b6c848a29732bfd52029001f23c3da75'
+ - '490109fa6739f114651f4199196c5121d1c6bdf2'
+ - 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5'
+ - 'a87d6eac2d70a3fbc04e59412326b28001c179de'
+ - '3f223581409492172a1e875f130f3485b90fbe5f'
+ - '5db61d00a001fd493591dc919f69b14713889fc5'
+ # https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
+ - '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f'
+ - '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370'
+ - '9d07df024ec457168bf0be7e0009619f6ac4f13c'
+ - '9a35ae9a1f95ce4be64adc604c80079173e4a676'
+ - 'c6bd965300f07012d1b651a9b8776028c45b149a'
+ - 'e83458c4a6383223759cd8024e60c17be4e7c85f'
+ - 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1'
+ - '9c24dd75e4074041dbe03bf21f050c77d748b8e9'
+ - 'dc55217b6043d819eadebd423ff07704ee103231'
+ - 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4'
+ - 'dc0e97adb756c0f30b41840a59b85218cbdd198f'
+ - '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab'
+ - 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63'
+ - 'c6d349823bbb1f5b44bae91357895dba653c5861'
+ - 'f42f28d164205d9f6dab9317c9fecad54c38d5d2'
+ - 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825'
+ - '8183a341ba6c3ce1948bf9be49ab5320e0ee324d'
+ - 'eb1ecad3d37bb980f908bf1a912415cff32e79e6'
+ - 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162'
+ - '6053d258096bccb07cb0057d700fe05233ab1fbb'
+ - '29a190727140f40cea9514a6420f5a195e36386b'
+ - 'a4b2c56c12799855162ca3b004b4b2078c6ecf77'
+ - '7667b72471689151e176baeba4e1cd9cd006a09a'
+ - 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5'
+ - '99201c9555e5faf6e8d82da793b148311f8aa4b8'
+ - '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e'
+ - '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403'
+ - 'd702d88b12233be9413446c445f22fda4a92a1d9'
+ - '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1'
+ - '643383938d5e0d4fd30d302af3e9293a4798e392'
+ - 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07'
+ # The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver
+ # These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules
+ - 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816'
+ - 'db6245578ec57bd767b27ecf8085095e1c8e5a6e'
+ - '166759fd511613414d3213942fe2575b926a6226'
+ - '02a8b74899591da7b7f49c0450328d39b939d7e4'
+ - '98ceed786f79288becc08c3b82c57e8d4bfa1bca'
+ - 'f6b3577ea4b1a5641ae3421151a26268434c3db8'
+ - '4de33d03fee52f396a1c788000ca868d56ac30de'
+ - 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0'
+ - 'fbc6d2448739ddec35bb5d6c94b46df4148f648d'
+ - '6b54f8f137778c1391285fee6150dfa58a8120b1'
+ - '943593e880b4d340f2548548e6e673ef6f61eed3'
+ - '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd'
+ - 'e44297a2b750ec1958bef265e2f1ae6fa4323b28'
+ - 'aa2ea973bb248b18973e57339307cfb8d309f687'
+ - '3a5d176c50f97b71d139767ed795d178623f491d'
+ - '25d812a5ece19ea375178ef9d60415841087726e'
+ - '3795e32592ab6d8074b6f7ad33759c6a39b0df07'
+ - 'fc121ed6fb37e97a004b6faf217435b772dfc4c0'
+ - 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02'
+ - 'cf040040628b58f4a811f98c2690913c1e8e4e3c'
+ - '3296844d22c87dd5eba3aa378a8242b41d59db7a'
+ - 'bc47e15537fa7c32dfefd23168d7e1741f8477ed'
+ - 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b'
+ - 'f3c5e723ae009b336cd2719137b8cd194c9ee51d'
+ - '41f2d0f9863bce8920c207b1ef5d3d32b603edef'
+ - 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001'
+ - '3cd037fbba8aae82c1b111c9f8755349c98bcb3c'
+ - '9401389fba314d1810f83edce33c37e84a78e112'
+ - '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371'
+ - '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7'
+ - 'fcd615df88645d1f57ff5702bd6758b77efea6d0'
+ - 'f3db629cfe37a73144d5258e64d9dd8b38084cf4'
+ - 'a00e444120449e35641d58e62ed64bb9c9f518d2'
+ - '38571f14fc014487194d1eecfa80561ee8644e09'
+ - '4d41248078181c7f61e6e4906aa96bbdea320dc2'
+ - '3599ea2ac1fa78f423423a4cf90106ea0938dde8'
+ - '3d6d53b0f1cc908b898610227b9f1b9352137aba'
+ - '4c18754dca481f107f0923fb8ef5e149d128525d'
+ - '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f'
+ - 'cde32654a041fedc7b0fa1083f6005b950760062'
+ - '5fb9421be8a8b08ec395d05e00fd45eb753b593a'
+ - 'b480c54391a2a2f917a44f91a5e9e4590648b332'
+ - '4f7a8e26a97980544be634b26899afbefb0a833c'
- SHA256:
+ # The list below is from https://github.com/namazso/physmem_drivers
+ - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162'
+ - '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748'
+ - '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA'
+ - '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA'
+ - '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F'
+ - 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414'
+ - '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D'
+ - '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA'
+ - '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00'
+ - '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E'
+ - '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7'
+ - 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602'
+ - 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8'
+ - 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A'
+ - '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4'
+ - '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4'
+ - 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C'
+ - 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B'
+ - '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A'
+ - '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9'
+ - '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB'
+ - '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC'
+ - 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF'
+ - '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A'
+ - '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3'
+ - '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5'
+ - '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB'
+ - '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94'
+ - '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0'
+ - '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F'
+ - '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C'
+ - '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8'
+ - '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4'
+ - '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303'
+ - '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469'
+ - '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B'
+ - '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E'
+ - 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608'
+ - 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685'
+ - 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71'
+ - 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2'
+ - 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293'
+ - 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57'
+ - '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A'
+ - '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A'
+ - '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659'
+ - '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA'
+ - '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2'
+ - '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7'
+ - '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57'
+ - '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92'
+ - '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184'
+ - '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457'
+ - '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A'
+ - '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4'
+ - '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F'
+ - 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8'
+ - 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165'
+ - 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E'
+ - 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A'
+ - 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C'
+ - 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653'
+ - 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028'
+ - '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3'
+ - 'DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D'
+ - '0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5'
+ - '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3'
+ - 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955'
+ - 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339'
+ - '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25'
+ - '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0'
+ - '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357'
+ - '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21'
+ - '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D'
+ - 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF'
+ - 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B'
+ - '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4'
+ - 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097'
+ - '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6'
+ - '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD'
+ - '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492'
+ - '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1'
+ - '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558'
+ - '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6'
+ - '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219'
+ - '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE'
+ - '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250'
+ - '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB'
+ - '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5'
+ - '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A'
+ - '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E'
+ - '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3'
+ - '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5'
+ - '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005'
+ - '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793'
+ - '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7'
+ - '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52'
+ - '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3'
+ - '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4'
+ - '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57'
+ - '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94'
+ - '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE'
+ - '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B'
+ - '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7'
+ - '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8'
+ - '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1'
+ - '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449'
+ - 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499'
+ - 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526'
+ - 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D'
+ - 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B'
+ - 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB'
+ - 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B'
+ - 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889'
+ - 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530'
+ - 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482'
+ - 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1'
+ - 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A'
+ - 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA'
+ - 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0'
+ - 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D'
+ - 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03'
+ - '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C'
+ - 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008'
+ - '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC'
+ - 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004'
+ - '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D'
+ - '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB'
+ - '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA'
+ - '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980'
+ - '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099'
+ - '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C'
+ - 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E'
+ - '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8'
+ - '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84'
+ # The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
- '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4'
- '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1'
- - '92edd48dfac025d4069eb6491b9730d9d131b77cceaa480af9b3c32bc8c5e3a9'
- - 'f84634b5c0e83ca9bb25928dc3c4fc05d37451c23b780dbeeb1f10f056f1eeee'
- - 'c1b41d6b91448e2409bb2f4fbf4aeb952adf373d0decc9d052277b89ba401407'
- - '1056806f6508b4f5e8a00a6e8d07aeac06a1be5f9b92f1684f33682d2da9349e'
- - '9dcfd796e244d0687cc35eac9538f209f76c6df12de166f19dbc7d2c47fb16b3'
- - 'd8841803f181f735d8794c82ba52d8c484b3b0a95dbbb66114314f439b75b0e9'
- - '19c74ea0e0baf04820e5642bd2fa224158801ed966be1041539e3c55bd65c471'
- - 'a3c9c5625ba6a6075d365543603a4dd4d7790850753d5289ff976eb2a839910f'
- - '739c11fdb8673ab5b78f1a874daf5ba3faddb7910a6d4e0cc49abd8b8537333f'
- - 'be5653e4c1ed75a451be4297ff233a22c7aab93b2126ca428834e83cadff5e9c'
- - 'c767a5895119154467ac3fce8e82c20e6538a4e54f6c109001c61f8abd58f9f8'
- - '14141f03eff7c2f44bfed93524f4ec64abdc8f3d45d55b1bcb5701ca354319fd'
- - 'fee4560f2160a951d83344857eb4587ab10c1cfd8c5cfc23b6f06bef8ebcd984'
- - 'b00060733f88e3897d4b1e4732df67ff277a8d615f84e6efab98c79c72cba370'
- - '11eecf9e6e2447856ed4cf86ee1cb779cfe0672c808bbd5934cf2f09a62d6170'
- - '23e39d9e40235a5c456260e03caccc186fe79ffd7d0439aea7530ebb0380946d'
- - 'b6bf2460e023b1005cc60e107b14a3cfdf9284cc378a086d92e5dcdf6e432e2c'
- - 'e22b7ba6d064c75913c3bdadaf7aada535dddd83175d8a47467fed5abc56d5ac'
- - '7fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8'
- - 'bb83738210650e09307ce869aca9bfa251024d3c47b1006b94fce2846313f56e'
- - '0381632cd236cd94fa9e64ccc958516ac50f9437f99092e231a607b1e6be6cf8'
- - '9378f7dff94d9409d38fa1a125c52734d6baea90913fc3cee2659fd36ab0da29'
- - 'faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4'
- - '42589c7ce89941060465096c4661654b43e38c1f9d05d66239825e8fccf52705'
- - '96ee751f7c38731e97773e07e0f13f4dd361af9aaa1d30b41652c2e6efc3fb3e'
- - '862a262e7af92599e6b10035b8a3c988078b92ba791a6230a85fd6d1ecec88c7'
- - 'fe4270a61dbed978c28b2915fcc2826d011148dcb7533fa8bd072ddce5944cef'
- - '7e2ad3d6d76f4fcd4583b865ffc12de6c44fc16cbcbb81d480cb067f2a860422'
- - '97b976f7e7e5df7af0781bbbb33cb5f3f7a59efdd07995253b31de8123352a67'
- - '1ed9da2da2539284404e0701e6ba3c9eb37be10353e826f425a194d247b8b7ce'
- - 'feef191064d18b6fb63b7299415d1b1e2ec8fcdd742854aa96268d0ec4a0f7b6'
- - '2d48414647a7f9dea30f19074ebf8f17e55e9031b8604794ceb88369c8c52532'
- - '7b7e0e1453e733050b586a6fac91883dbb85ae0775c84c4ceb967cfc9b4efd10'
- - '0893e186e236315fe78a7ef41ed71617e75d90d2d14fe93911e0d9344beaf69f'
- - '7fb0f6fc5bdd22d53f8532cb19da666a77a66ffb1cf3919a2e22b66c13b415b7'
- - 'b98e008dfea10ec74c89d08f12f31c12f52234be6ffff06b6b9e749bfea6cbed'
- - '47dba240967fd0088be618163672dfbddf0138178cccd45b54037f622b221220'
- - 'e7f011e9857c7db5aacbd424612cd7e3d12c363fdc8f072ddfaf9e2e5c85f5f3'
- - '2ff09bb919a9909068166c30322c4e904befeba5429e9a11d011297fb8a73c07'
- - 'a69247025dd32dc15e06fee362b494bcc6105d34b8d7091f7ec3d9000bd71501'
- - 'f2b51fbeead17f5ee34d5b4a3a83c848fb76f8f0e80769212e137a7aa539a3bc'
- - 'c8fa1ec3d03050fbc1aa677f2c0348690521291219e8d2e94f0ea9e9174b9156'
- - '038f39558035292f1d794b7cf49f8e751e8633daec31454fe85cccbea83ba3fb'
- - 'aa594d977312a944b14351c075634e7c59b42687928fbcda8e2c4cea46686dd9'
- - '7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057'
- - '5958cbe6cf7170c4b66893777bde66343f5536a98610bd188e10d47db84bc04c'
- - '543c3f024e4affd0aafa3a229fa19dbe7a70972bb18ed6347d3492dd174edac5'
- - '8bf958afa751d7ab66ebb1fae25679e6f0fde72078aefc09f1824eefa526005e'
- - '3de51a3102db7297d96b4de5b60aca5f3a07e8577bbbed7f755f1de9a9c38e75'
- - '6ad3624ca1dc38eceec75234e50934b1bad7c72621dc57deab09044d0135877d'
- - 'b8bf3bd441ebc5814c5d39d053fdcb263e8e58476cbdee4b1226903305f547b6'
- - 'ac706d9ed906b5c879f6ad59ffb56fa6bc5e1395fe9adf7c60f7eb94d044d018'
- - 'f34c667c0da3cd813e60f11b67338723252beb9bd43fc5e0c8c7265f263d2bd9'
- - 'c7b193f92a943afbc0eb57b23b5be5e66f66574051bf838b6735e13733da1809'
- - '841f965977f33d621d126412032c47dd6118251623c380e5572f7553b620b0e1'
- - 'd3eccd41c75046ca9a72af273c132aeded1d6572a20d1a64ed08337204b9da83'
- - 'fb5e65aec819c5a91ef0ce0fec0a957826b5e1ac9bac559a1b4201a3870462a3'
- - 'd402fe9eed2c0a26aaf2cb2311019fff7004965aa2d22702974203a50a52c9b0'
- - 'a520ff5c754a1fb62ba88399a313d0c0fb99145ba2d3d91dbf4282388b77fa84'
- - '2e7b3c52fe1541b51f814b82fced59513de249b6834b4b2c94acd97ca889477c'
- - 'ad44cfd9c6262a6ff36ee9d03e59ba4b0524ef87f6b980ce15abb10a35d39f88'
- - '80bfd0ead1ea54219d6a1a454242caa6c2397fa94af1b4e10d269b670afda898'
- - '96a5b3cd7c1a6dda5b6f402e6c35ba535270467f56addc7448dbe4aa78428411'
- - '7f0a28ccf0ab76964d40e063f9d4b88193b77e4badf66e8c8f87c97127885987'
- - 'e219276a4068b1eea5ce08f83a322845dce4eca89e05c71a0c2417065ce48813'
- - 'ebfbfa7c84036a4cf0114bbb0c8017b532f37d846589aeb0004bc8b1f5f4d230'
- - '43b7715e38449bf82ad0bb6b11d03da42150c1ee23148c5f396cc4ab1001622d'
- - '70344f2494d6b7ee4c5716e886d912447cffe9695d2286814dc3ce0361727bba'
- - '0d0962db9dc6879067270134801ad425c1f3e85b0dc39877c02aaa9c54aca14e'
- - 'c1d2036235a489fdd8b3970c9ef01567443a87d17b0ad5c2a033d4c471d0ecde'
- - '7018d515a6c781ea6097ca71d0f0603ad0d689f7ec99db27fcacd492a9e86027'
- - '05736ab8b48df84d81cb2cc0fbdc9d3da34c22db67a3e71c6f4b6b3923740dd5'
- - 'be0af245444321e51f4dd8a90a19a0abe05a060cbad93701e23a02df307957ae'
- - 'd86d6732ac4d1cb41a2dce40436b839c0dfdcef9ba306ce5d0f97c0522abfac8'
- - '4e19d4ce649c28dd947424483796beace3656284fb0379d97dddd320aa602bbc'
- - 'eac7316089dbaf7df79a531355547bbda22fa0921e31bba0d27bcc88234e9ed3'
- - 'b97f870c501714fa453cf18ae8a30c87d08ff1e6d784afdbb0121aea3da2dc28'
- - '1081ccd57fd35998634103ae1e736638d82351092acd30fe75084ea6a08ca0f7'
- - 'a6ae7364fd188c10d6b5a729a7ff58a3eb11e7feb0d107d18f9133655c11fb66'
- - 'b7113b9a68e17428e2107b19ba099571aaffc854b8fb9cbceb79ef9e3fd1cc62'
- - 'eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf'
- - '4f12ee563e7496e7105d67bf64af6b436902be4332033af0b5a242b206372cb7'
- - '4582adb2e67eebaff755ae740c1f24bc3af78e0f28e8e8decb99f86bf155ab23'
- - '8d8a5696bdf11d2427016f91f9726aff4f0c80fadbc3e6033662fa11c8b282bd'
- - 'f08ebddc11aefcb46082c239f8d97ceea247d846e22c4bcdd72af75c1cbc6b0b'
- - '12a636449a491ef3dc8688c5d25be9ebf785874f9c4573667eefd42139201aa4'
- - '7f1772bdf7dd81cb00d30159d19d4eb9160b54d7609b36f781d08ca3afbd29a7'
- - '5c206b569b7059b7c32eb5fc36922cb435c2b16c8d96de1038c8bd298ed498fe'
- - 'c56536f99207915e5a1f7d4f014ab942bd820e64ff7f371ad0462ef26ed27242'
- - '0988d366572a57b3015d875b60704517d05115580678e8f2e126f771eda28f7b'
- - '651ffa0c7aff7b4a7695dddd209dc3e7f68156e29a14d3fcc17aef4f2a205dcc'
- - '7113dee11925b346192f6ee5441974db7d1fe9b5be1497a6b295c06930fdd264'
- - '3d31118a2e92377ecb632bd722132c04af4e65e24ff87743796c75eb07cfcd71'
- - '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd'
- - 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec'
- - '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f'
- - 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533'
- - 'b430d3a0bdb837a5d6625d3b1cef07abd1953f969869ff6cf7ba398ae605431a'
- - 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc'
- - '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff'
- - '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9'
- - '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e'
- - '82774d5230c5b6604d6f67a32883f720b4695387f3f383aabc713fc2904ff45d'
- - 'ddd83af2e99c2e51f2bbbb5a1faadf9f2ddbc3e39b086935621d6846a8530d76'
- - 'e6d0c06deb74f0448391f2c14a08d5c1b7d263dc444acc5c1cf57acfe82da6bb'
- - 'f05a1df10900b05fb7211f3dadd15003fc91cfa28a08bcc6d7afa02cd8ab3d5c'
- - 'c174566743b47ae3c3bbb9f32d2856de5959e06ec100b648853058eefcda43fa'
- - '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e'
- - '0bb5f2eaacd64398a66d73d4617aa0c1209d483fafcbe99e4e12ca6c024db2ec'
- - '13b82d81d6eac1a8b2e4655504dabecbd70673cdf45c244702a02f3397fdff9a'
- - '8168304169a2453c0c3e0a285c2a07d3b3b83433e0342f6b33400c371af86221'
- - 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22'
- - '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a'
- - '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1'
- - '0391107305d76eb9ddf1a5b3b3c50da361e8ab35b573dbd19bf9383436b9303e'
- - '0289fe12e675101cee03934c1af5cb73069a12170a88bd051e31a292b97f701b'
- - '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965'
- - '9385e4cdabd0aee2670fb756598ea977161f45b71687ecb9e43533081629f661'
- - 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8'
- - 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26'
- - 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3'
- - 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa'
- - 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566'
- - 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a'
- - 'bfcffc82a564a2adcd3522cd78cdf83795b6212f787230a5ea6b7efb9f232784'
- - '350e15bf24dcfdc052db117718329a03e930c17ac8c835e51d001e74bad784e4'
- - 'df4e25990742fc8d3aed70f6cb4d402e111e7ed08fa5f76aca685b8c03b98b93'
- - 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2'
- - '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba'
- - 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612'
- - '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88'
- - '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57'
- - 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1'
- - 'e9b433a33dc72eb2622947b41f01d04a48cd71beac775a88f3f1e4c838090ee8'
- - 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13'
- - '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395'
- - '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe'
- - '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c'
- - '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670'
- - '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8'
- - '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810'
- - 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100'
- - 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102'
- - '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79'
- - '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b'
- - '15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229'
- - '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e'
- - '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8'
- - '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f'
- - 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8'
- - 'e94e8a87459db56837d1c58f9854794aa99f36566a9ded9b398be9d4d3a2c2af'
- - '44a0599defea351314663582dbc61069b3a095a4ddad571bb17dd0d8b21e7ff2'
- - '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4'
- - '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a'
- - 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602'
- - 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c'
- - 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b'
+ - '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'
+ - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
+ - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
+ - 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d'
+ - '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89'
+ - '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495'
+ - '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5'
+ - 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986'
+ - '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427'
+ - '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c'
+ - '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4'
+ - '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b'
+ - 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790'
+ - '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22'
+ - '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44'
+ - '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8'
+ - '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009'
+ - '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df'
+ - '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead'
+ - 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16'
+ - 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7'
+ # The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c
+ - '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4'
+ - '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6'
+ - 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062'
+ - '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b'
+ - '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece'
+ - '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374'
+ - '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50'
+ - 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6'
+ - 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e'
+ # https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
- 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc'
- '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d'
- 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65'
@@ -725,14 +923,10 @@ detection:
- '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8'
- '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813'
- '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a'
- - '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0'
- '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f'
- 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc'
- 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de'
- - '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd'
- - '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5'
- '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073'
- - 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530'
- '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890'
- '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0'
- 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200'
@@ -751,143 +945,52 @@ detection:
- 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35'
- '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33'
- 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29'
- - '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6'
- - '115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406'
- - '63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0'
- - '04e88b7717aadc6b56dfa006b9414fc2c899c398d7e003627770e07fed52edfd'
- - '4a229ab274e364df92cc46ecbc9faab32f7b0955dab982658313f2faf9410863'
- - '659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9'
- - '6c856c3c315c0f213684045da3203692c07c3da5df755155fd8b128fb447c437'
- - '8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870'
- - '9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89'
- - 'a3e8ea5e593176f9e66c17f6a200fa665c7ef409c97f49aadf5a55ad6b0be97e'
- - 'a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4'
- - 'b16c3ed44cd04b033621ada7f9ab89d830949b3c9dc26999d862ddbeb7cc5a86'
- - 'bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a'
- - 'bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7'
- - 'cb8e536680732b474a5c26970ace2087667622caa3dd82c1c56731a7c5a1c8ce'
- - 'd0a03a8905c4f695843bc4e9f2dd062b8fd7b0b00103236b5187ff3730750540'
- - 'd64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe'
- - 'e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37'
- - 'f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca'
- - '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'
- - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
- - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
- driver_img:
- ImageLoaded|endswith:
- - '\ASIO32.sys'
- - '\fiddrv.sys'
- - '\WinRing0.sys'
- - '\ASIO64.sys'
- - '\bandai.sys'
- - '\capcom.sys'
- - '\32-bit dell dbutil.sys'
- - '\64-bit dell dbutil.sys'
- - '\fiddrv64.sys'
- - '\fidpcidrv.sys'
- - '\fidpcidrv64.sys'
- - '\PassMark DirectIo.sys'
- - '\MsIo.sys'
- - '\piddrv.sys'
- - '\phymemx64'
- - '\semav6msr64.sys'
- - '\80.sys'
- - '\full.sys'
- - '\nstrwsk.sys'
- - '\nt2.sys'
- - '\nt3.sys'
- - '\nt5.sys'
- - '\81.sys'
- - '\b4.sys'
- - '\bw.sys'
- - '\bwrs.sys'
- - '\bwrsh.sys'
- - '\TGSafe.sys'
- - '\BlackBoneDrv10.sys'
- - '\windows-xp-64.sys'
- - '\windows8-10-32.sys'
- - '\kbdcap64.sys'
- - '\netfilterdrv.sys'
- - '\d.sys'
- - '\b3.sys'
- - '\2.sys'
- - '\b1.sys'
- - '\My.sys'
- - '\Black.sys'
- - '\WYProxy32.sys'
- - '\WYProxy64.sys'
- - '\Proxy64.sys'
- - '\LgDCatcher.sys'
- - '\ni.sys'
- - '\d4.sys'
- - '\d2.sys'
- - '\t.sys'
- - '\1.sys'
- - '\cpupress.sys'
- - '\gameink.sys'
- - '\NetFlt.sys'
- - '\ProtectS.sys'
- - '\GameTerSafe.sys'
- - '\Lurker.sys'
- - '\TestBone.sys'
- - '\Proxy32.sys'
- - '\t7.sys'
- - '\t8.sys'
- - '\nstr.sys'
- - '\nt6.sys'
- - '\t3.sys'
- - '\windows7-32.sys'
- - '\NetProxyDriver.sys'
- - '\c.sys'
- - '\b.sys'
- - '\nt4.sys'
- - '\d3.sys'
- - '\AsUpIO64.sys'
- - '\AsrDrv10.sys'
- - '\AsrDrv101.sys'
- - '\AsrDrv102.sys'
- - '\AsrDrv103.sys'
- - '\BSMEMx64.sys'
- - '\BSMIXP64.sys'
- - '\BSMIx64.sys'
- - '\BS_Flash64.sys'
- - '\BS_HWMIO64_W10.sys'
- - '\BS_HWMIo64.sys'
- - '\BS_I2c64.sys'
- - '\GLCKIO2.sys'
- - '\GVCIDrv64.sys'
- - '\HwOs2Ec10x64.sys'
- - '\HwOs2Ec7x64.sys'
- - '\MsIo64.sys'
- - '\NBIOLib_X64.sys'
- - '\NCHGBIOS2x64.sys'
- - '\NTIOLib_X64.sys'
- - '\PhlashNT.sys'
- - '\Phymemx64.sys'
- - '\UCOREW64.sys'
- - '\WinFlash64.sys'
- - '\amifldrv64.sys'
- - '\atillk64.sys'
- - '\dbk64.sys'
- - '\mtcBSv64.sys'
- - '\nvflash.sys'
- - '\nvflsh64.sys'
- - '\phymem64.sys'
- - '\rtkio64.sys'
- - '\rtkiow10x64.sys'
- - '\rtkiow8x64.sys'
- - '\segwindrvx64.sys'
- - '\superbmc.sys'
- - '\semav6msr.sys'
- - '\piddrv64.sys'
- - '\mhyprot2.sys'
- - '\netfilter.sys'
- - '\RTCore64.sys'
- - '\DBUtils_2_3.sys'
- driver_status:
- - Signed: 'false'
- - SignatureStatus: Expired
- condition: 1 of selection* or all of driver_*
+ # The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver
+ # These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules
+ - '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838'
+ - '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b'
+ - '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82'
+ - '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7'
+ - 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038'
+ - 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89'
+ - '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e'
+ - '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3'
+ - '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6'
+ - '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89'
+ - 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf'
+ - '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea'
+ - 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5'
+ - '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a'
+ - '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f'
+ - '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3'
+ - '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003'
+ - '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7'
+ - '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498'
+ - '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22'
+ - '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4'
+ - '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c'
+ - 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53'
+ - '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de'
+ - 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330'
+ - '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46'
+ - '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347'
+ - '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026'
+ - '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15'
+ - '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91'
+ - 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf'
+ - '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c'
+ - 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64'
+ - '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59'
+ - '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6'
+ - 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b'
+ - '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9'
+ - '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351'
+ - 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5'
+ - 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c'
+ - '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b'
+ - '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05'
+ - 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433'
+ condition: 1 of selection*
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml
new file mode 100644
index 000000000..6011de40e
--- /dev/null
+++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml
@@ -0,0 +1,167 @@
+title: Vulnerable Driver Load By Name
+id: c316eac1-f3d8-42da-ad1c-66dcec5ca787
+related:
+ - id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
+ type: derived
+status: experimental
+description: Detects the load of known vulnerable drivers via their names only.
+author: Nasreddine Bencherchali
+references:
+ - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+ - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
+ - https://github.com/jbaines-r7/dellicious
+ - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+ - https://github.com/namazso/physmem_drivers
+ - https://github.com/stong/CVE-2020-15368
+ - https://github.com/CaledoniaProject/drivers-binaries
+date: 2022/10/03
+tags:
+ - attack.privilege_escalation
+ - attack.t1543.003
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection:
+ ImageLoaded|endswith:
+ # The list below is from https://github.com/namazso/physmem_drivers
+ - '\ADV64DRV.sys'
+ - '\Agent64.sys'
+ - '\ALSysIO64.sys'
+ - '\amifldrv64.sys'
+ - '\AsIO.sys'
+ - '\AsIO64.sys'
+ - '\asmmap64.sys'
+ - '\AsrAutoChkUpdDrv.sys'
+ - '\AsrDrv10.sys'
+ - '\AsrDrv101.sys'
+ - '\AsrIbDrv.sys'
+ - '\AsrOmgDrv.sys'
+ - '\AsrRapidStartDrv.sys'
+ - '\AsrSmartConnectDrv.sys'
+ - '\AsUpIO.sys'
+ - '\atillk64.sys'
+ - '\BS_Def64.sys'
+ - '\CITMDRV_AMD64.sys'
+ - '\CITMDRV_IA64.sys'
+ - '\cpuz_x64.sys'
+ - '\cpuz141.sys'
+ - '\dbutil_2_3.sys'
+ - '\Dh_Kernel_10.sys'
+ - '\Dh_Kernel.sys'
+ - '\gdrv.sys'
+ - '\GLCKIO2.sys'
+ - '\HOSTNT.sys'
+ - '\HwRwDrv.sys'
+ - '\inpoutx64.sys'
+ - '\iomem64.sys'
+ - '\Mhyprot2.sys'
+ - '\MsIo64.sys'
+ - '\msrhook.sys'
+ - '\NTIOLib.sys'
+ - '\OpenLibSys.sys'
+ - '\Se64a.sys'
+ - '\smep_capcom.sys'
+ - '\smep_namco.sys'
+ - '\SysInfo.sys'
+ - '\VProEventMonitor.sys'
+ - '\WCPU.sys'
+ - '\WINIODrv.sys'
+ - '\WinRing0.sys'
+ # The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
+ - '\physmem.sys'
+ - '\procexp152.sys'
+ - '\viraglt64.sys'
+ - '\vboxdrv.sys'
+ - '\rwdrv.sys'
+ - '\speedfan.sys'
+ - '\kprocesshacker.sys'
+ - '\sandra.sys'
+ - '\elbycdio.sys'
+ - '\goad.sys'
+ - '\aswsnx.sys'
+ - '\sandbox.sys'
+ - '\nicm.sys'
+ - '\nscm.sys'
+ - '\ncpl.sys'
+ - '\elrawdsk.sys'
+ - '\DBUtilDrv2.sys'
+ - '\BS_RCIO64.sys'
+ - '\mhyprot.sys'
+ # The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c
+ - '\EneTechIo64.sys'
+ - '\amp.sys'
+ - '\EneIo64.sys'
+ - '\ATSZIO.sys'
+ - '\NalDrv.sys'
+ # https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15480/CVE-2020-15480.md
+ - '\DirectIo32.sys'
+ - '\DirectIo64.sys'
+ # https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
+ - '\AsUpIO64.sys'
+ - '\AsrDrv102.sys'
+ - '\AsrDrv103.sys'
+ - '\BSMEMx64.sys'
+ - '\BSMIXP64.sys'
+ - '\BSMIx64.sys'
+ - '\BS_Flash64.sys'
+ - '\BS_HWMIO64_W10.sys'
+ - '\BS_HWMIo64.sys'
+ - '\BS_I2c64.sys'
+ - '\GVCIDrv64.sys'
+ - '\HwOs2Ec10x64.sys'
+ - '\HwOs2Ec7x64.sys'
+ - '\NBIOLib_X64.sys'
+ - '\NCHGBIOS2x64.SYS'
+ - '\NTIOLib_X64.sys'
+ - '\PhlashNT.sys'
+ - '\Phymemx64.sys'
+ - '\UCOREW64.SYS'
+ - '\WinFlash64.sys'
+ - '\WinRing0x64.sys'
+ - '\dbk64.sys'
+ - '\mtcBSv64.sys'
+ - '\nvflash.sys'
+ - '\nvflsh64.sys'
+ - '\phymem64.sys'
+ - '\rtkio64.sys'
+ - '\rtkiow10x64.sys'
+ - '\rtkiow8x64.sys'
+ - '\segwindrvx64.sys'
+ - '\superbmc.sys'
+ - '\semav6msr.sys'
+ - '\piddrv64.sys'
+ # List below is based on Elastic Yara rules and samples from the "sample references" section https://github.com/elastic/protections-artifacts/search?q=VulnDriver
+ # The names were taken from VT search of those samples
+ - 'BS_I2cIo.sys' # Version: 1.1.0.0
+ - 'rtkio.sys'
+ - 'AMDRyzenMasterDriver.sys' # Version: 1.5.0.0
+ - 'LHA.sys'
+ - 'kEvP64.sys'
+ - 'BSMI.sys' # Version: 1.0.0.3
+ - 'TmComm.sys' # Version: 8.0.0.0
+ - 'cpuz.sys' # Version: 1.0.4.3
+ - 'ElbyCDIO.sys' # Version: 6.0.3.2
+ - 'iQVW64.SYS' # Version: 1.4.0.0
+ - 'vmdrv.sys' # Version: 10.0.10011.16384
+ - 'HpPortIox64.sys' # Version: 1.2.0.9
+ - 'AMDPowerProfiler.sys' # Version: 6.1.0.0
+ - 'CorsairLLAccess64.sys' # Version: 1.0.18.0
+ - 'RTCore64.sys'
+ - 'libnicm.sys' # Version: 3.1.12.0
+ - 'procexp.Sys' # Version: 16.27.0.0
+ - 'viragt.sys' # Version: 1.80.0.0
+ - 'viragt64.sys' # Version: 1.0.0.11
+ - 'AsrDrv106.sys'
+ - 'zamguard64.sys'
+ - 'zam64.sys'
+ - 'fidpcidrv64.sys'
+ - 'MsIo32.sys'
+ - 'winio64.sys'
+ - 'DirectIo64.sys'
+ condition: selection
+falsepositives:
+ - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
+ - If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible)
+level: medium
diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml
index 543b1670c..ed5c900f7 100644
--- a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml
+++ b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml
@@ -5,7 +5,9 @@ description: Detects the load of a signed WinRing0 driver often used by threat a
author: Florian Roth
references:
- https://github.com/xmrig/xmrig/tree/master/bin/WinRing0
+ - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
date: 2022/07/26
+modified: 2022/10/03
logsource:
product: windows
category: driver_load
@@ -16,6 +18,7 @@ detection:
- '\WinRing0.sys'
- '\WinRing0.dll'
- '\WinRing0x64.dll'
+ - '\winring00x64.sys'
selection_sysmon:
Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
selection_other:
diff --git a/rules/windows/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/file_access/file_access_win_browser_credential_stealing.yml
index 77ff46804..8e2b7bf82 100644
--- a/rules/windows/file_access/file_access_win_browser_credential_stealing.yml
+++ b/rules/windows/file_access/file_access_win_browser_credential_stealing.yml
@@ -50,4 +50,6 @@ detection:
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
+ - Software installed on other partitions other than "C:\"
+ - Searching software such as "everything.exe" that are installed and are not located in one of the "filter_programfile" filter entries
level: medium
diff --git a/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml b/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml
index 4fdf3650c..3779cc8a0 100644
--- a/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml
+++ b/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml
@@ -1,9 +1,9 @@
-title: Advanced IP Scanner
+title: Advanced IP Scanner
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
related:
- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
type: derived
-status: experimental
+status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
@@ -13,7 +13,7 @@ references:
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020/05/12
-modified: 2021/09/11
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1046
@@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- Legitimate administrative use
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml b/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
index 07cbb1170..3fd08abd1 100644
--- a/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
+++ b/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
@@ -1,13 +1,12 @@
title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
-description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for |
- creation of non-standard files on disk by Exchange Server’s Unified Messaging service |
- which could indicate dropping web shells or other malicious content
-author: Bhabesh Raj
-status: experimental
+status: test
+description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange Server’s Unified Messaging service | which could indicate dropping web shells or other malicious content
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+author: Bhabesh Raj
date: 2021/03/03
+modified: 2022/10/09
tags:
- attack.t1203
- attack.execution
@@ -19,16 +18,16 @@ detection:
selection:
Image|endswith: 'UMWorkerProcess.exe'
filter:
- TargetFilename|endswith:
+ TargetFilename|endswith:
- 'CacheCleanup.bin'
- '.txt'
- '.LOG'
- '.cfg'
- 'cleanup.bin'
condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
fields:
- ComputerName
- TargetFilename
-falsepositives:
- - Unknown
-level: high
\ No newline at end of file
diff --git a/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
index 1c07a1d31..a90639c36 100644
--- a/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
+++ b/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -1,13 +1,13 @@
title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
-status: experimental
+status: test
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
-author: Sittikorn S
-date: 2021/07/16
-modified: 2021/09/09
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+author: Sittikorn S
+date: 2021/07/16
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1566
@@ -34,4 +34,4 @@ detection:
condition: selection
falsepositives:
- Unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml b/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml
index ef75f7009..b78c50759 100644
--- a/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml
+++ b/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml
@@ -1,6 +1,6 @@
title: Powerup Write Hijack DLL
id: 602a1f13-c640-4d73-b053-be9a2fa58b96
-status: experimental
+status: test
description: |
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
In it's default mode, it builds a self deleting .bat file which executes malicious command.
@@ -9,6 +9,7 @@ references:
- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
author: Subhash Popuri (@pbssubhash)
date: 2021/08/21
+modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_hack_dumpert.yml b/rules/windows/file_event/file_event_win_hack_dumpert.yml
index 74a805179..a80f7ffeb 100755
--- a/rules/windows/file_event/file_event_win_hack_dumpert.yml
+++ b/rules/windows/file_event/file_event_win_hack_dumpert.yml
@@ -3,14 +3,14 @@ id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
-status: experimental
+status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
-author: Florian Roth
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+author: Florian Roth
date: 2020/02/04
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003.001
@@ -18,9 +18,9 @@ logsource:
category: file_event
product: windows
detection:
- selection:
+ selection:
TargetFilename: C:\Windows\Temp\dumpert.dmp
condition: selection
falsepositives:
- Very unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml
index f21f487db..b8b818b07 100644
--- a/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml
+++ b/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml
@@ -1,36 +1,37 @@
title: Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
-status: experimental
+status: test
description: Detects files written by the different tools that exploit HiveNightmare
-author: Florian Roth
-date: 2021/07/23
references:
- https://github.com/GossiTheDog/HiveNightmare
- https://github.com/FireFart/hivenightmare/
- https://github.com/WiredPulse/Invoke-HiveNightmare
- https://twitter.com/cube0x0/status/1418920190759378944
-logsource:
- product: windows
- category: file_event
+author: Florian Roth
+date: 2021/07/23
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1552.001
- cve.2021.36934
+logsource:
+ product: windows
+ category: file_event
detection:
selection:
- - TargetFilename|contains:
+ - TargetFilename|contains:
- '\hive_sam_' # Go version
- '\SAM-2021-' # C++ version
- '\SAM-2022-' # C++ version
- '\SAM-2023-' # C++ version
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
- - TargetFilename:
+ - TargetFilename:
- 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selection
+falsepositives:
+ - Files that accidentally contain these strings
+level: high
fields:
- CommandLine
- ParentCommandLine
-falsepositives:
- - Files that accidentally contain these strings
-level: high
diff --git a/rules/windows/file_event/file_event_win_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/file_event_win_lsass_memory_dump_file_creation.yml
index 3648d592e..b36022f26 100755
--- a/rules/windows/file_event/file_event_win_lsass_memory_dump_file_creation.yml
+++ b/rules/windows/file_event/file_event_win_lsass_memory_dump_file_creation.yml
@@ -1,11 +1,12 @@
title: LSASS Memory Dump File Creation
id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
+status: test
description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
-author: Teymur Kheirkhabarov, oscd.community
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
-modified: 2021/08/16
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003.001
@@ -17,11 +18,10 @@ detection:
TargetFilename|contains: 'lsass'
TargetFilename|endswith: 'dmp'
condition: selection
-fields:
- - ComputerName
- - TargetFilename
falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
- Dumps of another process that contains lsass in its process name (substring)
level: high
-status: experimental
+fields:
+ - ComputerName
+ - TargetFilename
diff --git a/rules/windows/file_event/file_event_win_mal_adwind.yml b/rules/windows/file_event/file_event_win_mal_adwind.yml
index 1e79f6b12..c4ce26312 100644
--- a/rules/windows/file_event/file_event_win_mal_adwind.yml
+++ b/rules/windows/file_event/file_event_win_mal_adwind.yml
@@ -3,14 +3,14 @@ id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
-status: experimental
+status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
-modified: 2021/09/19
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.005
@@ -27,4 +27,4 @@ detection:
- '\Retrive'
- '.vbs'
condition: selection
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/file_event/file_event_win_moriya_rootkit.yml b/rules/windows/file_event/file_event_win_moriya_rootkit.yml
index 47213161f..d09b370be 100644
--- a/rules/windows/file_event/file_event_win_moriya_rootkit.yml
+++ b/rules/windows/file_event/file_event_win_moriya_rootkit.yml
@@ -3,13 +3,13 @@ id: a1507d71-0b60-44f6-b17c-bf53220fdd88
related:
- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
type: derived
+status: test
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
-status: experimental
-author: Bhabesh Raj
-date: 2021/05/06
-modified: 2021/09/21
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+author: Bhabesh Raj
+date: 2021/05/06
+modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
@@ -21,6 +21,6 @@ detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
condition: selection
-level: critical
falsepositives:
- - Unknown
\ No newline at end of file
+ - Unknown
+level: critical
diff --git a/rules/windows/file_event/file_event_win_new_src_file.yml b/rules/windows/file_event/file_event_win_new_src_file.yml
index b3c76f43b..7caec1c22 100644
--- a/rules/windows/file_event/file_event_win_new_src_file.yml
+++ b/rules/windows/file_event/file_event_win_new_src_file.yml
@@ -6,6 +6,7 @@ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
references:
- https://lolbas-project.github.io/lolbas/Libraries/Desk/
date: 2022/04/27
+modified: 2022/10/07
tags:
- attack.t1218.011
- attack.defense_evasion
@@ -23,6 +24,7 @@ detection:
- 'C:\Windows\SysWow64\'
- 'C:\Windows\winsxs\'
- 'C:\Windows\WinSxS\'
+ - 'C:\$WINDOWS.~BT\NewOS\'
condition: selection and not filter
falsepositives:
- The installation of new screen savers.
diff --git a/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml b/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml
index a7b44dbb1..380a47f1d 100644
--- a/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml
+++ b/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml
@@ -1,22 +1,23 @@
title: Outlook C2 Macro Creation
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
-status: experimental
-description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
+status: test
+description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
+date: 2021/04/05
+modified: 2022/10/09
tags:
- attack.persistence
- attack.command_and_control
- attack.t1137
- attack.t1008
- attack.t1546
-date: 2021/04/05
logsource:
category: file_event
product: windows
detection:
- selection:
+ selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
diff --git a/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml b/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml
index f4668f6cc..1cefde763 100644
--- a/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml
+++ b/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml
@@ -1,21 +1,21 @@
title: PCRE.NET Package Temp Files
id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
+status: test
description: Detects processes creating temp files related to PCRE.NET package
-status: experimental
-date: 2020/10/29
-modified: 2021/08/14
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.execution
- - attack.t1059
references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.t1059
logsource:
category: file_event
product: windows
detection:
- selection:
+ selection:
TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
diff --git a/rules/windows/file_event/file_event_win_pingback_backdoor.yml b/rules/windows/file_event/file_event_win_pingback_backdoor.yml
index 605c24787..01e27932c 100644
--- a/rules/windows/file_event/file_event_win_pingback_backdoor.yml
+++ b/rules/windows/file_event/file_event_win_pingback_backdoor.yml
@@ -1,13 +1,13 @@
title: Pingback Backdoor
id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
-status: experimental
+status: test
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
-author: Bhabesh Raj
-date: 2021/05/05
-modified: 2021/09/09
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+author: Bhabesh Raj
+date: 2021/05/05
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1574.001
@@ -15,10 +15,10 @@ logsource:
product: windows
category: file_event
detection:
- selection:
+ selection:
Image|endswith: 'updata.exe'
TargetFilename: 'C:\Windows\oci.dll'
condition: selection
falsepositives:
- Very unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml
index 0f81b25b9..73ec4a996 100755
--- a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml
+++ b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml
@@ -15,7 +15,7 @@ references:
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
date: 2018/04/07
-modified: 2022/06/22
+modified: 2022/10/04
logsource:
category: file_event
product: windows
@@ -207,6 +207,7 @@ detection:
- '\Invoke-Zerologon.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Start-WebcamRecorder.ps1'
+ - '\PSAsyncShell.ps1'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/file_event/file_event_win_rclone_exec_file.yml b/rules/windows/file_event/file_event_win_rclone_exec_file.yml
index 126403a34..7e02272aa 100644
--- a/rules/windows/file_event/file_event_win_rclone_exec_file.yml
+++ b/rules/windows/file_event/file_event_win_rclone_exec_file.yml
@@ -1,18 +1,15 @@
title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
+status: test
description: Detects Rclone config file being created
-status: experimental
-date: 2021/05/26
-modified: 2021/10/04
-author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.t1567.002
-falsepositives:
- - Legitimate Rclone usage (rare)
-level: high
logsource:
product: windows
category: file_event
@@ -21,4 +18,7 @@ detection:
TargetFilename|contains|all:
- ':\Users\'
- '\.config\rclone\'
- condition: selection
\ No newline at end of file
+ condition: selection
+falsepositives:
+ - Legitimate Rclone usage (rare)
+level: high
diff --git a/rules/windows/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file_event/file_event_win_startup_folder_file_write.yml
index a4716f5ac..79868daed 100644
--- a/rules/windows/file_event/file_event_win_startup_folder_file_write.yml
+++ b/rules/windows/file_event/file_event_win_startup_folder_file_write.yml
@@ -7,7 +7,7 @@ references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/12
- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
date: 2020/05/02
-modified: 2022/08/22
+modified: 2022/10/07
logsource:
product: windows
category: file_event
@@ -15,7 +15,8 @@ detection:
selection:
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
filter_update:
- Image: 'C:\Windows\System32\wuauclt.exe'
+ - Image: 'C:\Windows\System32\wuauclt.exe'
+ - TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
condition: selection and not filter_update
falsepositives:
- An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
diff --git a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml
index 3ac6496fb..1914ec979 100755
--- a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml
+++ b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml
@@ -6,7 +6,7 @@ author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
date: 2020/03/19
-modified: 2022/09/20
+modified: 2022/10/07
logsource:
product: windows
category: file_event
@@ -21,6 +21,8 @@ detection:
filter_jetbrains:
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
+ filter_upgrade:
+ TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
condition: selection and not 1 of filter_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
diff --git a/rules/windows/file_event/file_event_win_tool_psexec.yml b/rules/windows/file_event/file_event_win_tool_psexec.yml
index b51057aa6..2dc596b5f 100644
--- a/rules/windows/file_event/file_event_win_tool_psexec.yml
+++ b/rules/windows/file_event/file_event_win_tool_psexec.yml
@@ -3,18 +3,28 @@ id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
-status: experimental
+status: test
description: Detects PsExec service installation and execution events (service and Sysmon)
-author: Thomas Patzke
-date: 2017/06/12
-modified: 2021/09/21
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
+author: Thomas Patzke
+date: 2017/06/12
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ TargetFilename|endswith: '\PSEXESVC.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: low
fields:
- EventID
- CommandLine
@@ -23,13 +33,3 @@ fields:
- ServiceFileName
- TargetFilename
- PipeName
-logsource:
- category: file_event
- product: windows
-detection:
- selection:
- TargetFilename|endswith: '\PSEXESVC.exe'
- condition: selection
-falsepositives:
- - Unknown
-level: low
\ No newline at end of file
diff --git a/rules/windows/file_event/file_event_win_uac_bypass_consent_comctl32.yml b/rules/windows/file_event/file_event_win_uac_bypass_consent_comctl32.yml
index fd9c808f7..14c550838 100644
--- a/rules/windows/file_event/file_event_win_uac_bypass_consent_comctl32.yml
+++ b/rules/windows/file_event/file_event_win_uac_bypass_consent_comctl32.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using Consent and Comctl32 - File
id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
+status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_uac_bypass_dotnet_profiler.yml b/rules/windows/file_event/file_event_win_uac_bypass_dotnet_profiler.yml
index f2dd94cfb..00ebb166c 100644
--- a/rules/windows/file_event/file_event_win_uac_bypass_dotnet_profiler.yml
+++ b/rules/windows/file_event/file_event_win_uac_bypass_dotnet_profiler.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
+status: test
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_uac_bypass_ieinstal.yml b/rules/windows/file_event/file_event_win_uac_bypass_ieinstal.yml
index 826af0cb3..5fb87a9b7 100644
--- a/rules/windows/file_event/file_event_win_uac_bypass_ieinstal.yml
+++ b/rules/windows/file_event/file_event_win_uac_bypass_ieinstal.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
+status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_uac_bypass_msconfig_gui.yml b/rules/windows/file_event/file_event_win_uac_bypass_msconfig_gui.yml
index d896bdb07..4d747179a 100644
--- a/rules/windows/file_event/file_event_win_uac_bypass_msconfig_gui.yml
+++ b/rules/windows/file_event/file_event_win_uac_bypass_msconfig_gui.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
+status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml
index 7494bc23a..d40c2e90d 100644
--- a/rules/windows/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml
+++ b/rules/windows/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
+status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_uac_bypass_winsat.yml b/rules/windows/file_event/file_event_win_uac_bypass_winsat.yml
index 07a32c8ce..49fbb8b79 100644
--- a/rules/windows/file_event/file_event_win_uac_bypass_winsat.yml
+++ b/rules/windows/file_event/file_event_win_uac_bypass_winsat.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Abusing Winsat Path Parsing - File
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
+status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_uac_bypass_wmp.yml b/rules/windows/file_event/file_event_win_uac_bypass_wmp.yml
index 1026649f9..ef2c27bd2 100644
--- a/rules/windows/file_event/file_event_win_uac_bypass_wmp.yml
+++ b/rules/windows/file_event/file_event_win_uac_bypass_wmp.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
+status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml
index 572c319f9..5b1e72682 100644
--- a/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml
+++ b/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml
@@ -3,13 +3,13 @@ id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
related:
- id: 074e0ded-6ced-4ebd-8b4d-53f55908119
type: derived
+status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
-status: experimental
references:
- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020/10/06
-modified: 2021/09/19
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1216
@@ -18,7 +18,7 @@ logsource:
category: file_event
detection:
system_files:
- TargetFilename|endswith:
+ TargetFilename|endswith:
- 'WsmPty.xsl'
- 'WsmTxt.xsl'
in_system_folder:
@@ -26,6 +26,6 @@ detection:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: system_files and not in_system_folder
-level: medium
falsepositives:
- - Unlikely
\ No newline at end of file
+ - Unlikely
+level: medium
diff --git a/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
index 07e01fa6a..dd0c53af5 100644
--- a/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
+++ b/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
@@ -1,17 +1,17 @@
title: Wmiprvse Wbemcomn DLL Hijack
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
+status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
-status: experimental
-date: 2020/10/12
-modified: 2021/09/09
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1047
- attack.lateral_movement
- attack.t1021.002
-references:
- - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
logsource:
product: windows
category: file_event
@@ -22,4 +22,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml
index f8a2e00e3..a6d1fa6d9 100644
--- a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml
+++ b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml
@@ -7,7 +7,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
author: frack113
date: 2022/02/19
-modified: 2022/03/13
+modified: 2022/10/07
logsource:
product: windows
category: file_rename
@@ -24,6 +24,9 @@ detection:
filter_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
+ filter_upgrade:
+ - Image: 'C:\Windows\System32\wuauclt.exe'
+ - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\'
condition: to_dll and not 1 of filter*
falsepositives:
- Application installation
diff --git a/rules/windows/image_load/image_load_foggyweb_nobelium.yml b/rules/windows/image_load/image_load_foggyweb_nobelium.yml
index f982cb390..eaf808b22 100644
--- a/rules/windows/image_load/image_load_foggyweb_nobelium.yml
+++ b/rules/windows/image_load/image_load_foggyweb_nobelium.yml
@@ -1,11 +1,15 @@
title: FoggyWeb Backdoor DLL Loading
id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
-status: experimental
+status: test
description: Detects DLL image load activity as used by FoggyWeb backdoor loader
references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Florian Roth
date: 2021/09/27
+modified: 2022/10/09
+tags:
+ - attack.resource_development
+ - attack.t1587
logsource:
category: image_load
product: windows
@@ -16,6 +20,3 @@ detection:
falsepositives:
- Unlikely
level: critical
-tags:
- - attack.resource_development
- - attack.t1587
diff --git a/rules/windows/image_load/image_load_pcre_net_load.yml b/rules/windows/image_load/image_load_pcre_net_load.yml
index 3debcfa6f..8a5b65ec0 100644
--- a/rules/windows/image_load/image_load_pcre_net_load.yml
+++ b/rules/windows/image_load/image_load_pcre_net_load.yml
@@ -1,21 +1,21 @@
title: PCRE.NET Package Image Load
id: 84b0a8f3-680b-4096-a45b-e9a89221727c
+status: test
description: Detects processes loading modules related to PCRE.NET package
-status: experimental
-date: 2020/10/29
-modified: 2021/08/14
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.execution
- - attack.t1059
references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.t1059
logsource:
category: image_load
product: windows
detection:
- selection:
+ selection:
ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
index f74a18219..019c323ea 100644
--- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
@@ -8,7 +8,7 @@ references:
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex)
date: 2022/08/14
-modified: 2022/09/29
+modified: 2022/10/07
tags:
- attack.defense_evasion
- attack.persistence
@@ -430,6 +430,8 @@ detection:
filter_cleanmgr:
Image: 'C:\Windows\System32\cleanmgr.exe'
ImageLoaded|endswith: '\ssshim.dll'
+ filter_upgrade:
+ Image|startswith: 'C:\$WINDOWS.~BT\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml
index f935150fd..e2ecb5be8 100644
--- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml
+++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml
@@ -3,13 +3,13 @@ id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
related:
- id: 03552375-cc2c-4883-bbe4-7958d5a980be
type: derived
-status: experimental
+status: test
description: Detects SILENTTRINITY stager use
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019/10/22
-modified: 2021/10/04
+modified: 2022/10/09
tags:
- attack.command_and_control
- attack.t1071
@@ -22,4 +22,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/image_load/image_load_tttracer_mod_load.yml b/rules/windows/image_load/image_load_tttracer_mod_load.yml
index c40117488..43e405e1f 100644
--- a/rules/windows/image_load/image_load_tttracer_mod_load.yml
+++ b/rules/windows/image_load/image_load_tttracer_mod_load.yml
@@ -1,14 +1,14 @@
title: Time Travel Debugging Utility Usage
id: e76c8240-d68f-4773-8880-5c6f63595aaf
-status: experimental
+status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
-author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020/10/06
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.credential_access
@@ -19,11 +19,11 @@ logsource:
category: image_load
detection:
selection:
- ImageLoaded|endswith:
- - '\ttdrecord.dll'
- - '\ttdwriter.dll'
- - '\ttdloader.dll'
+ ImageLoaded|endswith:
+ - '\ttdrecord.dll'
+ - '\ttdwriter.dll'
+ - '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
index eac2f40fa..35bdbe170 100644
--- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
+++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
status: experimental
date: 2020/10/20
-modified: 2022/09/21
+modified: 2022/10/07
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.credential_access
@@ -47,6 +47,9 @@ detection:
filter_contains:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
+ filter_regedit:
+ # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
+ Image: 'C:\Windows\regedit.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Other legitimate processes loading those DLLs in your environment.
diff --git a/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml b/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml
index ae9008a44..82e939764 100644
--- a/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml
+++ b/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml
@@ -1,11 +1,16 @@
title: APT PRIVATELOG Image Load Pattern
id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
-status: experimental
+status: test
description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
references:
- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
author: Florian Roth
date: 2021/09/07
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1055
logsource:
category: image_load
product: windows
@@ -17,7 +22,3 @@ detection:
falsepositives:
- Rarely observed
level: high
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1055
\ No newline at end of file
diff --git a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
index 46a28be56..aac8fdfcf 100644
--- a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
+++ b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
@@ -1,21 +1,21 @@
title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
+status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
-status: experimental
-date: 2020/10/12
-modified: 2021/09/09
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1047
- attack.lateral_movement
- attack.t1021.002
-references:
- - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
logsource:
product: windows
category: image_load
-detection:
+detection:
selection:
Image|endswith: '\wmiprvse.exe'
ImageLoaded|endswith: '\wbem\wbemcomn.dll'
diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml
index 846ebbbbb..f7401507d 100644
--- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml
+++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml
@@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
status: experimental
date: 2020/06/24
-modified: 2022/09/18
+modified: 2022/10/07
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.execution
@@ -57,6 +57,8 @@ detection:
Image|startswith: 'C:\Program Files\Citrix\'
filter_ps_ise:
Image|endswith: '\powershell_ise.exe'
+ filter_upgrade:
+ Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
svchost:
Image|endswith: '\svchost.exe'
commandline_null:
diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml
index 12d8c9b0f..e27328c5d 100644
--- a/rules/windows/network_connection/net_connection_win_certutil.yml
+++ b/rules/windows/network_connection/net_connection_win_certutil.yml
@@ -6,6 +6,7 @@ author: frack113, Florian Roth
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
date: 2022/09/02
+modified: 2022/10/04
tags:
- attack.command_and_control
- attack.t1105
@@ -13,17 +14,15 @@ logsource:
category: network_connection
product: windows
detection:
- selection_certutil:
- - Image|endswith: '\certutil.exe'
- - OriginalFilename: 'CertUtil.exe'
- selection_network:
+ selection:
+ Image|endswith: '\certutil.exe'
Initiated: 'true'
DestinationPort:
- 80
- 443
- 135
- 445
- condition: all of selection*
+ condition: selection
falsepositives:
- Legitimate certutil network connection
level: high
diff --git a/rules/windows/network_connection/net_connection_win_hh.yml b/rules/windows/network_connection/net_connection_win_hh.yml
new file mode 100644
index 000000000..bde58609e
--- /dev/null
+++ b/rules/windows/network_connection/net_connection_win_hh.yml
@@ -0,0 +1,31 @@
+title: HH.EXE Network Connections
+id: 468a8cea-2920-4909-a593-0cbe1d96674a
+related:
+ - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
+ type: derived
+status: experimental
+description: Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files
+author: Nasreddine Bencherchali
+date: 2022/10/05
+references:
+ - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
+ - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
+tags:
+ - attack.defense_evasion
+ - attack.t1218.001
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\hh.exe'
+ Initiated: 'true'
+ DestinationPort:
+ - 80
+ - 443
+ - 135
+ - 445
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml
index 714194dea..5bbb8cd17 100755
--- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml
+++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml
@@ -4,94 +4,94 @@ status: test
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
author: Florian Roth
references:
- - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+ - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
date: 2017/03/19
-modified: 2022/02/02
+modified: 2022/10/05
logsource:
- category: network_connection
- product: windows
- definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
+ category: network_connection
+ product: windows
+ definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
- selection:
- Initiated: 'true'
- DestinationPort:
- - '4443'
- - '2448'
- - '8143'
- - '1777'
- - '1443'
- - '243'
- - '65535'
- - '13506'
- - '3360'
- - '200'
- - '198'
- - '49180'
- - '13507'
- - '6625'
- - '4444'
- - '4438'
- - '1904'
- - '13505'
- - '13504'
- - '12102'
- - '9631'
- - '5445'
- - '2443'
- - '777'
- - '13394'
- - '13145'
- - '12103'
- - '5552'
- - '3939'
- - '3675'
- - '666'
- - '473'
- - '5649'
- - '4455'
- - '4433'
- - '1817'
- - '100'
- - '65520'
- - '1960'
- - '1515'
- - '743'
- - '700'
- - '14154'
- - '14103'
- - '14102'
- - '12322'
- - '10101'
- - '7210'
- - '4040'
- - '9943'
- filter1:
- Image|contains: '\Program Files'
- filter2:
- DestinationIp|startswith:
- - '10.'
- - '192.168.'
- - '172.16.'
- - '172.17.'
- - '172.18.'
- - '172.19.'
- - '172.20.'
- - '172.21.'
- - '172.22.'
- - '172.23.'
- - '172.24.'
- - '172.25.'
- - '172.26.'
- - '172.27.'
- - '172.28.'
- - '172.29.'
- - '172.30.'
- - '172.31.'
- - '127.'
- condition: selection and not 1 of filter*
+ selection:
+ Initiated: 'true'
+ DestinationPort:
+ - 4443
+ - 2448
+ - 8143
+ - 1777
+ - 1443
+ - 243
+ - 65535
+ - 13506
+ - 3360
+ - 200
+ - 198
+ - 49180
+ - 13507
+ - 6625
+ - 4444
+ - 4438
+ - 1904
+ - 13505
+ - 13504
+ - 12102
+ - 9631
+ - 5445
+ - 2443
+ - 777
+ - 13394
+ - 13145
+ - 12103
+ - 5552
+ - 3939
+ - 3675
+ - 666
+ - 473
+ - 5649
+ - 4455
+ - 4433
+ - 1817
+ - 100
+ - 65520
+ - 1960
+ - 1515
+ - 743
+ - 700
+ - 14154
+ - 14103
+ - 14102
+ - 12322
+ - 10101
+ - 7210
+ - 4040
+ - 9943
+ filter1:
+ Image|contains: '\Program Files'
+ filter2:
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
+ condition: selection and not 1 of filter*
falsepositives:
- - Unknown
+ - Unknown
level: medium
tags:
- - attack.command_and_control
- - attack.t1571
+ - attack.command_and_control
+ - attack.t1571
diff --git a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml
index b2a186714..3a6041a3e 100755
--- a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml
@@ -4,24 +4,24 @@ status: test
description: Detects suspicious network connection by Notepad
author: EagleEye Team
references:
- - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
- - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
+ - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
+ - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
date: 2020/05/14
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- category: network_connection
- product: windows
+ category: network_connection
+ product: windows
detection:
- selection:
- Image|endswith: '\notepad.exe'
- filter:
- DestinationPort: '9100'
- condition: selection and not filter
+ selection:
+ Image|endswith: '\notepad.exe'
+ filter:
+ DestinationPort: 9100
+ condition: selection and not filter
falsepositives:
- - Unknown
+ - Unknown
level: high
tags:
- - attack.command_and_control
- - attack.execution
- - attack.defense_evasion
- - attack.t1055
+ - attack.command_and_control
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1055
diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml
index e7644ca93..a031d7218 100755
--- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml
+++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml
@@ -1,12 +1,12 @@
title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
-status: experimental
+status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
author: Samir Bousseaden
date: 2019/02/16
-modified: 2021/05/11
+modified: 2022/10/09
tags:
- attack.command_and_control
- attack.t1572
diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
index 71537df3d..e81321141 100644
--- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
+++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
@@ -1,13 +1,18 @@
title: Regsvr32 Network Activity
id: c7e91a02-d771-4a6d-a700-42587e0b1095
+status: test
description: Detects network connections and DNS queries initiated by Regsvr32.exe
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
-status: experimental
date: 2019/10/25
-modified: 2021/09/21
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.t1559.001
+ - attack.defense_evasion
+ - attack.t1218.010
logsource:
category: network_connection
product: windows
@@ -15,17 +20,12 @@ detection:
selection:
Image|endswith: '\regsvr32.exe'
condition: selection
+falsepositives:
+ - Unknown
+level: high
fields:
- ComputerName
- User
- Image
- DestinationIp
- DestinationPort
-falsepositives:
- - Unknown
-level: high
-tags:
- - attack.execution
- - attack.t1559.001
- - attack.defense_evasion
- - attack.t1218.010
diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
index b67b6c071..31eccd053 100644
--- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
+++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
@@ -4,24 +4,24 @@ status: test
description: Detects a possible remote connections to Silenttrinity c2
author: Kiran kumar s, oscd.community
references:
- - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+ - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
date: 2020/10/11
-modified: 2021/11/27
+modified: 2022/10/05
logsource:
- category: network_connection
- product: windows
+ category: network_connection
+ product: windows
detection:
- selection:
- Image|endswith: '\msbuild.exe'
- filter:
- DestinationPort:
- - '80'
- - '443'
- Initiated: 'true'
- condition: selection and filter
+ selection:
+ Image|endswith: '\msbuild.exe'
+ filter:
+ DestinationPort:
+ - 80
+ - 443
+ Initiated: 'true'
+ condition: selection and filter
falsepositives:
- - Unknown
+ - Unknown
level: high
tags:
- - attack.execution
- - attack.t1127.001
+ - attack.execution
+ - attack.t1127.001
diff --git a/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml
similarity index 100%
rename from rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml
rename to rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml
diff --git a/rules/windows/network_connection/net_connection_win_susps_epmap.yml b/rules/windows/network_connection/net_connection_win_susp_epmap.yml
similarity index 100%
rename from rules/windows/network_connection/net_connection_win_susps_epmap.yml
rename to rules/windows/network_connection/net_connection_win_susp_epmap.yml
diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml
index e9ec104aa..2fcf97171 100644
--- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml
+++ b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml
@@ -1,14 +1,15 @@
title: CobaltStrike Named Pipe
id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
-status: experimental
+status: test
description: Detects the creation of a named pipe as used by CobaltStrike
references:
- https://twitter.com/d4rksystem/status/1357010969264873472
- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
- https://github.com/Neo23x0/sigma/issues/253
- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
-date: 2021/05/25
author: Florian Roth, Wojciech Lesicki
+date: 2021/05/25
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -32,5 +33,5 @@ detection:
PipeName|startswith: '\msagent_'
condition: 1 of selection*
falsepositives:
- - Unknown
+ - Unknown
level: critical
diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml
index e606b2465..3dcd47c86 100644
--- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml
+++ b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml
@@ -1,13 +1,13 @@
title: CobaltStrike Named Pipe Pattern Regex
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
-status: experimental
+status: test
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
-date: 2021/07/30
-modified: 2021/09/02
author: Florian Roth
+date: 2021/07/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml
index c3b806c80..b5bc6fdfb 100644
--- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml
+++ b/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml
@@ -3,14 +3,14 @@ id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
-status: experimental
+status: test
description: Detects PsExec service installation and execution events (service and Sysmon)
-author: Thomas Patzke
-date: 2017/06/12
-modified: 2021/09/21
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
+author: Thomas Patzke
+date: 2017/06/12
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1569.002
@@ -23,6 +23,9 @@ detection:
selection:
PipeName: '\PSEXESVC'
condition: selection
+falsepositives:
+ - Unknown
+level: low
fields:
- EventID
- CommandLine
@@ -31,6 +34,3 @@ fields:
- ServiceFileName
- TargetFilename
- PipeName
-falsepositives:
- - Unknown
-level: low
diff --git a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml
index 3677db9fd..0fa98a2af 100644
--- a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml
+++ b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml
@@ -1,13 +1,13 @@
title: CobaltStrike Named Pipe Patterns
id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
-status: experimental
+status: test
description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
-date: 2021/07/30
-modified: 2021/08/26
author: Florian Roth, Christian Burkard
+date: 2021/07/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml
index 7d40187e2..c868b66b4 100644
--- a/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml
+++ b/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml
@@ -1,11 +1,15 @@
title: WMI Event Consumer Created Named Pipe
id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
-status: experimental
+status: test
description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
references:
- https://github.com/RiccardoAncarani/LiquidSnake
-date: 2021/09/01
author: Florian Roth
+date: 2021/09/01
+modified: 2022/10/09
+tags:
+ - attack.t1047
+ - attack.execution
logsource:
product: windows
category: pipe_created
@@ -17,6 +21,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.t1047
- - attack.execution
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
index af42eb123..7fcc5fb71 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
@@ -1,12 +1,12 @@
title: Alternate PowerShell Hosts
id: d7326048-328b-4d5e-98af-86e84b17c765
related:
- - id: 64e8e417-c19a-475a-8d19-98ea705394cc
- type: derived
+ - id: 64e8e417-c19a-475a-8d19-98ea705394cc
+ type: derived
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
date: 2019/08/11
-modified: 2022/02/21
+modified: 2022/10/05
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
@@ -19,7 +19,7 @@ logsource:
definition: fields have to be extract from event
detection:
selection:
- HostApplication: '*'
+ HostApplication|contains: '*'
filter:
- HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'
- ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
@@ -28,4 +28,4 @@ falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
index 41ddfcce0..af8e94cf9 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
@@ -3,14 +3,14 @@ id: f65e22f9-819e-4f96-9c7b-498364ae7a25
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
type: derived
-status: experimental
-author: frack113
-date: 2021/07/13
-modified: 2021/09/07
+status: test
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+author: frack113
+date: 2021/07/13
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1218
@@ -28,11 +28,11 @@ detection:
- '-ScriptBlock '
- '-RemoteFXvGPUDisablementFilePath'
condition: all of selection_*
+falsepositives:
+ - Unknown
+level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
-falsepositives:
- - Unknown
-level: medium
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
index b3ebc5408..78d439ab8 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
@@ -3,13 +3,13 @@ id: 71ff406e-b633-4989-96ec-bc49d825a412
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
-status: experimental
-author: frack113
-date: 2021/07/20
-modified: 2021/09/07
+status: test
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
+author: frack113
+date: 2021/07/20
+modified: 2022/10/09
tags:
- attack.collection
- attack.t1074.001
@@ -27,4 +27,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml
index d3b873308..bf8df3753 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml
@@ -1,19 +1,19 @@
title: Suspicious Non PowerShell WSMAN COM Provider
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
+status: test
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
-status: experimental
-date: 2020/06/24
-modified: 2021/08/30
+references:
+ - https://twitter.com/chadtilbury/status/1275851297770610688
+ - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+ - https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.001
- attack.lateral_movement
- attack.t1021.003
-references:
- - https://twitter.com/chadtilbury/status/1275851297770610688
- - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- - https://github.com/bohops/WSMan-WinRM
logsource:
product: windows
service: powershell-classic
@@ -25,5 +25,5 @@ detection:
HostApplication|contains: powershell
condition: selection and not filter
falsepositives:
- - Unknown
+ - Unknown
level: medium
diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
index 3f7989312..2ec92afbf 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
@@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
date: 2019/08/11
-modified: 2022/09/20
+modified: 2022/10/05
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
@@ -16,7 +16,7 @@ logsource:
definition: PowerShell Module Logging must be enabled
detection:
selection:
- ContextInfo: '*'
+ ContextInfo|contains: '*'
filter:
ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
filter_citrix:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
index 6acd74a7f..dddb6e625 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
@@ -1,12 +1,16 @@
title: Powershell Add Name Resolution Policy Table Rule
id: 4368354e-1797-463c-bc39-a309effbe8d7
-status: experimental
+status: test
description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
references:
- https://twitter.com/NathanMcNulty/status/1569497348841287681
- https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
author: Borna Talebi
date: 2021/09/14
+modified: 2022/10/09
+tags:
+ - attack.impact
+ - attack.t1565
logsource:
product: windows
category: ps_script
@@ -18,9 +22,6 @@ detection:
- '-Namesp'
- '-NameSe'
condition: selection
-tags:
- - attack.impact
- - attack.t1565
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml
new file mode 100644
index 000000000..7f392e44b
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml
@@ -0,0 +1,22 @@
+title: PSAsyncShell - Asynchronous TCP Reverse Shell
+id: afd3df04-948d-46f6-ae44-25966c44b97f
+status: experimental
+description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
+references:
+ - https://github.com/JoelGMSec/PSAsyncShell
+author: Nasreddine Bencherchali
+date: 2022/10/04
+tags:
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ category: ps_script
+ definition: Script block logging must be enabled
+detection:
+ selection:
+ ScriptBlockText|contains: 'PSAsyncShell'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
index fdeee6012..c01b922c5 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
@@ -1,16 +1,16 @@
title: Suspicious Export-PfxCertificate
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
-status: experimental
+status: test
description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
+author: Florian Roth
+date: 2021/04/23
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1552.004
-author: Florian Roth
-date: 2021/04/23
-modified: 2021/08/04
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml
index e6a124409..165e6f52a 100644
--- a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml
+++ b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml
@@ -1,12 +1,18 @@
title: CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
+status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
- https://github.com/boku7/injectAmsiBypass
- https://github.com/boku7/spawn
-status: experimental
author: Christian Burkard
date: 2021/08/04
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.t1106
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: process_access
product: windows
@@ -14,14 +20,9 @@ detection:
selection:
CallTrace|re: '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
GrantedAccess:
- - '0x1028'
- - '0x1fffff'
+ - '0x1028'
+ - '0x1fffff'
condition: selection
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1106
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
index fd893e140..6a34e10df 100755
--- a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
@@ -1,16 +1,16 @@
title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
+status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
-status: experimental
-date: 2020/10/20
-modified: 2021/06/21
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.credential_access
- - attack.t1003.001
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+modified: 2022/10/09
+tags:
+ - attack.credential_access
+ - attack.t1003.001
logsource:
category: process_access
product: windows
diff --git a/rules/windows/process_access/proc_access_win_lsass_werfault.yml b/rules/windows/process_access/proc_access_win_lsass_werfault.yml
index 33ffa3efc..50531ce34 100644
--- a/rules/windows/process_access/proc_access_win_lsass_werfault.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_werfault.yml
@@ -1,11 +1,12 @@
title: WerFault Accassing LSASS
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
-status: experimental
+status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
-author: Florian Roth
-date: 2012/06/27
references:
- https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
+author: Florian Roth
+date: 2012/06/27
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml
index 53b05c85e..68edb260b 100644
--- a/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml
@@ -1,11 +1,12 @@
title: Credential Dumping by Pypykatz
id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+status: test
description: Detects LSASS process access by pypykatz for credential dumping.
-status: experimental
-date: 2021/08/03
-author: Bhabesh Raj
references:
- https://github.com/skelsec/pypykatz
+author: Bhabesh Raj
+date: 2021/08/03
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003.001
@@ -13,9 +14,9 @@ logsource:
category: process_access
product: windows
detection:
- selection:
+ selection:
TargetImage|endswith: '\lsass.exe'
- CallTrace|contains|all:
+ CallTrace|contains|all:
- 'C:\Windows\SYSTEM32\ntdll.dll+'
- 'C:\Windows\System32\KERNELBASE.dll+'
- 'libffi-7.dll'
@@ -23,6 +24,6 @@ detection:
- 'python3*.dll+' # Pypy requires python>=3.6
GrantedAccess: '0x1FFFFF'
condition: selection
-level: critical
falsepositives:
- - Unknown
\ No newline at end of file
+ - Unknown
+level: critical
diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
index e9f723900..84cf77da7 100644
--- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
+++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
@@ -7,7 +7,7 @@ status: experimental
description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)
author: Florian Roth
date: 2022/03/13
-modified: 2022/09/20
+modified: 2022/10/07
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -96,6 +96,9 @@ detection:
filter_xampp:
SourceImage|endswith: '\xampp-control.exe'
GrantedAccess: '0x410'
+ filter_games:
+ SourceImage|contains: '\SteamLibrary\steamapps\'
+ GrantedAccess: '0x410'
condition: selection and not 1 of filter*
fields:
- User
diff --git a/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml b/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
index 167885c57..8f9ad2a17 100644
--- a/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
+++ b/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
@@ -1,23 +1,24 @@
title: SVCHOST Credential Dump
id: 174afcfa-6e40-4ae9-af64-496546389294
+status: test
description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials
-status: experimental
-date: 2021/04/30
author: Florent Labouyrie
+date: 2021/04/30
+modified: 2022/10/09
+tags:
+ - attack.t1548
logsource:
product: windows
category: process_access
-tags:
- - attack.t1548
detection:
selection_process:
TargetImage|endswith: '\svchost.exe'
selection_memory:
GrantedAccess: '0x143a'
filter_trusted_process_access:
- SourceImage|endswith:
- - '*\services.exe'
- - '*\msiexec.exe'
+ SourceImage|endswith:
+ - '*\services.exe'
+ - '*\msiexec.exe'
condition: selection_process and selection_memory and not filter_trusted_process_access
falsepositives:
- Non identified legit exectubale
diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml
index bf6ac9d84..fa666748b 100644
--- a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml
+++ b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using WOW64 Logger DLL Hijack
id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
+status: test
description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml b/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml
index 87264d4f3..60804f202 100644
--- a/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml
+++ b/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml
@@ -1,11 +1,12 @@
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
-status: experimental
-author: frack113
-date: 2021/09/01
+status: test
description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
+author: frack113
+date: 2021/09/01
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1564.004
diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml
index 56babca75..02b0d76fb 100644
--- a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml
+++ b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml
@@ -1,12 +1,13 @@
title: AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
-status: experimental
-author: Ján Trenčanský
-date: 2021/08/06
+status: test
description: AnyDesk Remote Desktop silent installation can be used by attacker to gain remote access.
references:
- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
- https://support.anydesk.com/Automatic_Deployment
+author: Ján Trenčanský
+date: 2021/08/06
+modified: 2022/10/09
tags:
- attack.command_and_control
- attack.t1219
diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml
index ffabc8685..81961bada 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml
@@ -3,14 +3,14 @@ id: 18739897-21b1-41da-8ee4-5b786915a676
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
-status: experimental
+status: test
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
-author: Tim Burrell
-date: 2020/02/07
-modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+author: Tim Burrell
+date: 2020/02/07
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1212
@@ -29,4 +29,4 @@ detection:
condition: legitimate_executable and not legitimate_process_path
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml
index 3edf95205..fe87f7f1f 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml
@@ -1,16 +1,16 @@
title: GALLIUM Artefacts
id: 440a56bf-7873-4439-940a-1c8a671073c2
-status: experimental
+status: test
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
-author: Tim Burrell
-date: 2020/02/07
-modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+author: Tim Burrell
+date: 2020/02/07
+modified: 2022/10/09
tags:
- attack.credential_access
- - attack.t1212
+ - attack.t1212
- attack.command_and_control
- attack.t1071
logsource:
@@ -41,4 +41,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml b/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml
index aba2a631d..4b944e144 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml
@@ -1,16 +1,20 @@
title: Exchange Exploitation Activity
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
+status: test
description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
-author: Florian Roth
-date: 2021/03/09
-modified: 2021/03/16
-status: experimental
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
- https://twitter.com/BleepinComputer/status/1372218235949617161
+author: Florian Roth
+date: 2021/03/09
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1546
+ - attack.t1053
logsource:
category: process_creation
product: windows
@@ -30,7 +34,7 @@ detection:
CommandLine|contains|all:
- 'vssadmin list shadows'
- 'Temp\__output'
- selection4:
+ selection4:
CommandLine|contains: '%TEMP%\execute.bat'
selection5:
Image|endswith: 'Users\Public\opera\Opera_browser.exe'
@@ -52,11 +56,11 @@ detection:
- 'Microsoft\Exchange Server\'
- 'inetpub\wwwroot'
selection10:
- CommandLine|contains:
+ CommandLine|contains:
- '\Temp\xx.bat'
- 'Windows\WwanSvcdcs'
- 'Windows\Temp\cw.exe'
- selection11:
+ selection11:
CommandLine|contains|all:
- '\comsvcs.dll'
- 'Minidump'
@@ -70,7 +74,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1546
- - attack.t1053
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml
index b6c6b6aef..fa062bb0d 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml
@@ -1,16 +1,16 @@
title: Lazarus Activity
id: 4a12fa47-c735-4032-a214-6fab5b120670
+status: test
description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
-status: experimental
references:
- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
+author: Bhabesh Raj
+date: 2021/04/20
+modified: 2022/10/09
tags:
- attack.g0032
- attack.execution
- attack.t1106
-author: Bhabesh Raj
-date: 2021/04/20
-modified: 2021/06/27
logsource:
category: process_creation
product: windows
@@ -28,4 +28,4 @@ detection:
condition: 1 of selection*
falsepositives:
- Should not be any false positives
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml
index 163796a0f..bf721ab56 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml
@@ -1,17 +1,17 @@
title: Lazarus Activity
id: 24c4d154-05a4-4b99-b57d-9b977472443a
+status: test
description: Detects different process creation events as described in various threat reports on Lazarus group activity
-status: experimental
references:
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
- https://www.hvs-consulting.de/lazarus-report/
+author: Florian Roth
+date: 2020/12/23
+modified: 2022/10/09
tags:
- attack.g0032
- attack.execution
- attack.t1059
-author: Florian Roth
-date: 2020/12/23
-modified: 2021/06/27
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml b/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml
index 6e04b4af0..08435287b 100755
--- a/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml
@@ -1,12 +1,12 @@
title: Defrag Deactivation
id: 958d81aa-8566-4cea-a565-59ccd4df27b0
+status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
-status: experimental
-author: Florian Roth, Bartlomiej Czyz (@bczyz1)
-date: 2019/03/04
-modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1053.005
@@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml
index a1b7ff41a..32660768a 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml
@@ -1,14 +1,14 @@
title: SOURGUM Actor Behaviours
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
+status: test
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
-author: MSTIC, FPT.EagleEye
-status: experimental
references:
- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
- https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+author: MSTIC, FPT.EagleEye
date: 2021/06/15
-modified: 2021/07/30
+modified: 2022/10/09
tags:
- attack.t1546
- attack.t1546.015
diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml
index 043666225..5a05aff7b 100755
--- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml
@@ -1,9 +1,12 @@
title: Turla Group Lateral Movement
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
-status: experimental
+status: test
description: Detects automated lateral movement by Turla group
references:
- https://securelist.com/the-epic-turla-operation/65545/
+author: Markus Neis
+date: 2017/11/07
+modified: 2022/10/09
tags:
- attack.g0010
- attack.execution
@@ -13,9 +16,6 @@ tags:
- attack.discovery
- attack.t1083
- attack.t1135
-author: Markus Neis
-date: 2017/11/07
-modified: 2021/09/19
logsource:
category: process_creation
product: windows
@@ -26,6 +26,6 @@ detection:
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
-level: critical
falsepositives:
- - Unknown
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml
index a8a32766e..86c0f3bf0 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml
@@ -1,9 +1,12 @@
title: Turla Group Lateral Movement
id: 75925535-ca97-4e0a-a850-00b5c00779dc
-status: experimental
+status: test
description: Detects automated lateral movement by Turla group
references:
- https://securelist.com/the-epic-turla-operation/65545/
+author: Markus Neis
+date: 2017/11/07
+modified: 2022/10/09
tags:
- attack.g0010
- attack.execution
@@ -13,21 +16,18 @@ tags:
- attack.discovery
- attack.t1083
- attack.t1135
-author: Markus Neis
-date: 2017/11/07
-modified: 2021/09/19
logsource:
category: process_creation
product: windows
detection:
- netCommand1:
- CommandLine: 'net view /DOMAIN'
- netCommand2:
- CommandLine: 'net session'
- netCommand3:
- CommandLine: 'net share'
- timeframe: 1m
- condition: netCommand1 | near netCommand2 and netCommand3
-level: medium
+ netCommand1:
+ CommandLine: 'net view /DOMAIN'
+ netCommand2:
+ CommandLine: 'net session'
+ netCommand3:
+ CommandLine: 'net share'
+ timeframe: 1m
+ condition: netCommand1 | near netCommand2 and netCommand3
falsepositives:
- - Unknown
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml
index 86ddd5b56..69fc53568 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml
@@ -1,17 +1,17 @@
title: UNC2452 Process Creation Patterns
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
+status: test
description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
-status: experimental
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+author: Florian Roth
+date: 2021/01/22
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.001
# - sunburst
# - unc2452
-author: Florian Roth
-date: 2021/01/22
-modified: 2021/06/27
logsource:
category: process_creation
product: windows
@@ -44,4 +44,4 @@ detection:
condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 )
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml
index 9c2b15046..bc1458ab7 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml
@@ -1,19 +1,19 @@
title: UNC2452 PowerShell Pattern
id: b7155193-8a81-4d8f-805d-88de864ca50c
+status: test
description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
-status: experimental
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
+author: Florian Roth
+date: 2021/01/20
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.001
- attack.t1047
# - sunburst
-author: Florian Roth
-date: 2021/01/20
-modified: 2021/01/22
logsource:
category: process_creation
product: windows
@@ -23,7 +23,7 @@ detection:
- 'Invoke-WMIMethod win32_process -name create -argumentlist'
- 'rundll32 c:\windows'
selection2:
- CommandLine|contains|all:
+ CommandLine|contains|all:
- 'wmic /node:'
- 'process call create "rundll32 c:\windows'
condition: 1 of selection*
diff --git a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml
index 5aeb7d762..d25640739 100644
--- a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml
+++ b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml
@@ -3,12 +3,14 @@ id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
related:
- id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
type: derived
-author: Florian Roth, frack113
-status: experimental
+status: test
description: Detects activity mentioned in Operation Wocao report
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
+author: Florian Roth, frack113
+date: 2019/12/20
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1012
@@ -18,8 +20,6 @@ tags:
- attack.execution
- attack.t1053.005
- attack.t1059.001
-date: 2019/12/20
-modified: 2021/09/19
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
index 2714a92ef..b66b0dc98 100644
--- a/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
+++ b/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
@@ -1,13 +1,14 @@
title: Atlassian Confluence CVE-2021-26084
id: 245f92e3-c4da-45f1-9070-bc552e06db11
-status: experimental
+status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
-author: Bhabesh Raj
-date: 2021/09/08
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://github.com/h3v0x/CVE-2021-26084_Confluence
+author: Bhabesh Raj
+date: 2021/09/08
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.execution
diff --git a/rules/windows/process_creation/proc_creation_win_automated_collection.yml b/rules/windows/process_creation/proc_creation_win_automated_collection.yml
index 389cb93dc..c0e534c3c 100644
--- a/rules/windows/process_creation/proc_creation_win_automated_collection.yml
+++ b/rules/windows/process_creation/proc_creation_win_automated_collection.yml
@@ -1,12 +1,18 @@
title: Automated Collection Command Prompt
id: f576a613-2392-4067-9d1a-9345fb58d8d1
-status: experimental
-author: frack113
-date: 2021/07/28
+status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
+author: frack113
+date: 2021/07/28
+modified: 2022/10/09
+tags:
+ - attack.collection
+ - attack.t1119
+ - attack.credential_access
+ - attack.t1552.001
logsource:
category: process_creation
product: windows
@@ -29,15 +35,10 @@ detection:
- ' /s '
selection_findstr:
OriginalFileName: FINDSTR.EXE
- CommandLine|contains:
+ CommandLine|contains:
- ' /e '
- ' /si '
condition: selection_ext and (selection_dir or selection_findstr)
falsepositives:
- Unknown
level: medium
-tags:
- - attack.collection
- - attack.t1119
- - attack.credential_access
- - attack.t1552.001
diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml
index f2f783ef8..3e81e808e 100644
--- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml
+++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml
@@ -1,20 +1,20 @@
title: Bitsadmin Download
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
-status: experimental
+status: test
description: Detects usage of bitsadmin downloading a file
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+author: Michael Haag, FPT.EagleEye
+date: 2017/03/09
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- attack.s0190
- attack.t1036.003
-date: 2017/03/09
-modified: 2021/07/16
-author: Michael Haag, FPT.EagleEye
logsource:
category: process_creation
product: windows
@@ -32,9 +32,9 @@ detection:
selection2:
CommandLine|contains: 'copy bitsadmin.exe'
condition: (selection1 and susp_flag_2 and http_flag) or (selection1 and susp_flag_1) or selection2
-fields:
- - CommandLine
- - ParentCommandLine
falsepositives:
- Some legitimate apps use this, but limited.
level: medium
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_clip.yml b/rules/windows/process_creation/proc_creation_win_clip.yml
index 8d1990c40..87c81db09 100644
--- a/rules/windows/process_creation/proc_creation_win_clip.yml
+++ b/rules/windows/process_creation/proc_creation_win_clip.yml
@@ -1,12 +1,13 @@
title: Use of CLIP
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
-status: experimental
-author: frack113
-date: 2021/07/27
+status: test
description: Adversaries may collect data stored in the clipboard from users copying information within or between applications.
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
+author: frack113
+date: 2021/07/27
+modified: 2022/10/09
tags:
- attack.collection
- attack.t1115
diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
index 33a39958b..39d4c1feb 100644
--- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
@@ -4,36 +4,42 @@ id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
author: _pete_0, TheDFIRReport
references:
- - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
+ - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
+ - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
+ - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
date: 2022/05/06
-modified: 2022/05/06
-logsource:
- category: process_creation
- product: windows
-detection:
- selection:
- CommandLine|startswith:
- - 'cmd.exe'
- - 'c:\windows\system32\cmd.exe'
- CommandLine|contains:
- - psinject
- - spawnas
- - make_token
- - remote-exec
- - rev2self
- - dcsync
- - logonpasswords
- - execute-assembly
- - getsystem
- Image|endswith: '\cmd.exe'
- condition: selection
-fields:
- - CommandLine
-falsepositives:
- - Unknown
-level: high
+modified: 2022/10/07
tags:
- - attack.execution
- - attack.t1059.003
\ No newline at end of file
+ - attack.execution
+ - attack.t1059.003
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|startswith:
+ - 'cmd.exe'
+ - 'c:\windows\system32\cmd.exe'
+ CommandLine|contains:
+ - psinject
+ - spawnas
+ - make_token
+ - remote-exec
+ - rev2self
+ - dcsync
+ - logonpasswords
+ - execute-assembly
+ - getsystem
+ Image|endswith: '\cmd.exe'
+ filter_vscode:
+ # This FP could occure when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above
+ ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP
+ CommandLine|contains|all:
+ - '/d /s /c '
+ - 'checkfilenameiocs --ioc-path '
+ condition: selection and not 1 of filter_*
+fields:
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml
index 7dc95edf6..e1b08e7a6 100644
--- a/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml
+++ b/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml
@@ -1,13 +1,13 @@
title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
+status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
-status: experimental
-author: Sreeman
-date: 2020/10/29
-modified: 2021/06/11
references:
- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
+author: Sreeman
+date: 2020/10/29
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1556.002
diff --git a/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml b/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml
index 3086a630d..f613bbe38 100644
--- a/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml
+++ b/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml
@@ -1,11 +1,12 @@
title: Discover Private Keys
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
-status: experimental
-author: frack113
-date: 2021/07/20
+status: test
description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
+author: frack113
+date: 2021/07/20
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1552.004
@@ -30,11 +31,11 @@ detection:
- '.p7b'
- '.asc'
condition: all of selection_*
+falsepositives:
+ - Unknown
+level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
-falsepositives:
- - Unknown
-level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml
index 7f43e5439..c50856c52 100644
--- a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml
+++ b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml
@@ -3,14 +3,13 @@ id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
-status: experimental
-description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
- (restart required)
+status: test
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
-date: 2017/05/08
-modified: 2021/09/12
author: Florian Roth
+date: 2017/05/08
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1574.002
@@ -21,7 +20,7 @@ logsource:
detection:
selection:
Image|endswith: '\dnscmd.exe'
- CommandLine|contains|all:
+ CommandLine|contains|all:
- '/config'
- '/serverlevelplugindll'
condition: selection
@@ -34,4 +33,4 @@ fields:
- ParentCommandLine
- Image
- User
- - TargetObject
\ No newline at end of file
+ - TargetObject
diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
index 7bc952889..1e4b4297c 100644
--- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
+++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
@@ -1,13 +1,13 @@
title: Cabinet File Expansion
-status: experimental
id: 9f107a84-532c-41af-b005-8d12a607639f
-author: Bhabesh Raj
-date: 2021/07/30
-modified: 2021/08/31
+status: test
description: Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
+author: Bhabesh Raj
+date: 2021/07/30
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1218
@@ -30,11 +30,11 @@ detection:
ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
condition: selection and not 1 of filter_*
+falsepositives:
+ - System administrator Usage
+level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
-falsepositives:
- - System administrator Usage
-level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml
index 6059a577c..e78d699f1 100644
--- a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml
+++ b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml
@@ -22,5 +22,5 @@ falsepositives:
- Certain software or administrative tasks may trigger false positives.
level: low
tags:
- - attack.peripheral_device_discovery
+ - attack.discovery
- attack.t1120
diff --git a/rules/windows/process_creation/proc_creation_win_gmer_execution.yml b/rules/windows/process_creation/proc_creation_win_gmer_execution.yml
new file mode 100644
index 000000000..74374c55a
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_gmer_execution.yml
@@ -0,0 +1,29 @@
+title: GMER - Rootkit Detector and Remover Execution
+id: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d
+status: experimental
+description: Detects the execution GMER tool based on image and hash fields.
+references:
+ - http://www.gmer.net/
+author: Nasreddine Bencherchali
+date: 2022/10/05
+tags:
+ - attack.defense_evasion
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_img:
+ Image|endswith: '\gmer.exe'
+ selection_sysmon_hash:
+ Hashes|contains:
+ - 'MD5=E9DC058440D321AA17D0600B3CA0AB04'
+ - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'
+ - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'
+ selection_other:
+ - MD5: 'e9dc058440d321aa17d0600b3ca0ab04'
+ - SHA1: '539c228b6b332f5aa523e5ce358c16647d8bbe57'
+ - SHA256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
+ condition: 1 of selection_*
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_handlekatz.yml
index 0383d0ebb..7761b63f8 100644
--- a/rules/windows/process_creation/proc_creation_win_handlekatz.yml
+++ b/rules/windows/process_creation/proc_creation_win_handlekatz.yml
@@ -6,11 +6,12 @@ references:
status: experimental
author: Florian Roth
date: 2022/08/18
+modified: 2022/10/05
logsource:
category: process_creation
product: windows
detection:
- selection_loader:
+ selection_loader_img:
Image|endswith: '\loader.exe'
CommandLine|contains: '--pid:'
selection_loader_imphash:
@@ -20,17 +21,16 @@ detection:
- Hashes:
- 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
- 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
- selection_flags_1:
+ selection_flags:
CommandLine|contains|all:
- '--pid:'
- '--outfile:'
- selection_flags_2:
CommandLine|contains:
- '.dmp'
- 'lsass'
- '.obf'
- 'dump'
- condition: 1 of selection_loader_* or all of selection_flags*
+ condition: 1 of selection_*
falsepositives:
- Unknown
tags:
diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml
new file mode 100644
index 000000000..d7cd3389c
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml
@@ -0,0 +1,23 @@
+title: HH.exe Remote CHM File Execution
+id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
+status: experimental
+description: Detects usage of hh.exe to execute/download remotely hosted .chm files.
+author: Nasreddine Bencherchali
+references:
+ - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
+ - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
+date: 2022/09/29
+tags:
+ - attack.defense_evasion
+ - attack.t1218.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\hh.exe'
+ CommandLine|contains: ' http'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml b/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml
index 9eb0aefd9..f429f0eb8 100644
--- a/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml
+++ b/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml
@@ -1,11 +1,12 @@
title: Impacket Tool Execution
-status: experimental
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
+status: test
description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
-author: Florian Roth
-date: 2021/07/24
references:
- https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
+author: Florian Roth
+date: 2021/07/24
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1557.001
@@ -14,7 +15,7 @@ logsource:
product: windows
detection:
selection:
- - Image|contains:
+ - Image|contains:
- '\goldenPac'
- '\karmaSMB'
- '\kintercept'
@@ -26,7 +27,7 @@ detection:
- '\smbrelayx'
- '\wmiexec'
- '\wmipersist'
- - Image|endswith:
+ - Image|endswith:
# - '\addcomputer_windows.exe'
- '\atexec_windows.exe'
- '\dcomexec_windows.exe'
diff --git a/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml b/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
index 0fef0ec45..ee2df63bb 100644
--- a/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
+++ b/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
@@ -1,12 +1,16 @@
title: InfDefaultInstall.exe .inf Execution
id: ce7cf472-6fcc-490a-9481-3786840b5d9b
-status: experimental
-author: frack113
-date: 2021/07/13
+status: test
description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution
- https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/
+author: frack113
+date: 2021/07/13
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1218
logsource:
category: process_creation
product: windows
@@ -16,14 +20,11 @@ detection:
- 'InfDefaultInstall.exe '
- '.inf'
condition: selection
+falsepositives:
+ - Unknown
+level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
-falsepositives:
- - Unknown
-level: medium
-tags:
- - attack.defense_evasion
- - attack.t1218
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml
index b863bfcf8..dae6e57b4 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml
@@ -1,13 +1,13 @@
title: Execution via CL_Invocation.ps1
id: a0459f02-ac51-4c09-b511-b8c9203fc429
+status: test
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
-status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/05/21
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1216
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
index 177e320df..126fc2b86 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
@@ -3,22 +3,20 @@ id: 575dce0c-8139-4e30-9295-1ee75969f7fe
description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
status: experimental
references:
- - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
+ - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
author: blueteamer8699
date: 2022/01/03
tags:
- attack.discovery
- - attack.group_policy_discovery
- attack.execution
- - attack.command_and_scripting_interpreter
- - attack.visual_basic
+ - attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
+ CommandLine|contains|all:
- 'cscript.exe'
- 'gatherNetworkInfo.vbs'
condition: selection
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml
index ba9184b1c..c5fc08317 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml
@@ -1,12 +1,13 @@
title: Xwizard DLL Sideloading
id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
-status: experimental
+status: test
description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll
references:
- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Christian Burkard
date: 2021/09/20
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1574.002
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml
index b8e182c88..f33090592 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml
@@ -1,13 +1,13 @@
title: Suspicious Atbroker Execution
id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+status: test
description: Atbroker executing non-deafualt Assistive Technology applications
references:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
-status: experimental
author: Mateusz Wydra, oscd.community
date: 2020/10/12
-modified: 2021/08/14
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1218
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
index ba5891a5f..65ba4dc65 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
@@ -1,12 +1,13 @@
title: Suspicious Driver Install by pnputil.exe
-status: experimental
id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
-author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
-date: 2021/09/30
+status: test
description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
references:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
- https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
+author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
+date: 2021/09/30
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1547
@@ -23,13 +24,13 @@ detection:
- '.inf'
Image|endswith: '\pnputil.exe'
condition: selection
-fields:
- - ComputerName
- - User
- - CommandLine
- - ParentCommandLine
falsepositives:
- Pnputil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
index e9ec82123..6cc958976 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
@@ -6,7 +6,7 @@ related:
status: experimental
author: frack113
date: 2021/07/12
-modified: 2021/09/12
+modified: 2022/10/04
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
@@ -18,10 +18,12 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- Image|endswith: '\SyncAppvPublishingServer.exe'
+ selection_img:
+ - Image|endswith: '\SyncAppvPublishingServer.exe'
+ - OriginalFileName: 'syncappvpublishingserver.exe'
+ selection_cli:
CommandLine|contains: '"n; '
- condition: selection
+ condition: all of selection_*
fields:
- ComputerName
- User
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
index ffccba042..3b206cf3f 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
@@ -1,17 +1,17 @@
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
-status: experimental
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
+status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
-author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020/10/06
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.credential_access
@@ -22,8 +22,8 @@ logsource:
category: process_creation
detection:
selection:
- ParentImage|endswith: '\tttracer.exe'
+ ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_mal_adwind.yml b/rules/windows/process_creation/proc_creation_win_mal_adwind.yml
index b777f363a..37f7153ae 100644
--- a/rules/windows/process_creation/proc_creation_win_mal_adwind.yml
+++ b/rules/windows/process_creation/proc_creation_win_mal_adwind.yml
@@ -1,13 +1,13 @@
title: Adwind RAT / JRAT
id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
-status: experimental
+status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
-modified: 2021/09/19
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.005
@@ -26,4 +26,4 @@ detection:
- 'Retrive'
- '.vbs '
condition: selection
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml b/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml
index c5ff7aa41..32300008b 100644
--- a/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml
+++ b/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml
@@ -3,17 +3,17 @@ id: c3198a27-23a0-4c2c-af19-e5328d49680e
related:
- id: ce239692-aa94-41b3-b32f-9cab259c96ea
type: merged
-date: 2020/05/14
-modified: 2021/09/11
-status: experimental
+status: test
description: Attempts to detect system changes made by Blue Mockingbird
references:
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1112
- attack.t1047
-author: Trent Liffick (@tliffick)
logsource:
category: process_creation
product: windows
@@ -29,4 +29,4 @@ detection:
condition: sc_cmd or wmic_cmd
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml
index 23a992248..d8352babb 100644
--- a/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml
+++ b/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml
@@ -1,12 +1,16 @@
title: Conti NTDS Exfiltration Command
id: aa92fd02-09f2-48b0-8a93-864813fb8f41
+status: test
description: Detects a command used by conti to exfiltrate NTDS
-author: Max Altgelt, Tobias Michalski
-date: 2021/08/09
-status: experimental
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+modified: 2022/10/09
+tags:
+ - attack.collection
+ - attack.t1560
logsource:
category: process_creation
product: windows
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.collection
- - attack.t1560
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml
index 00ad7170e..afafb0bb6 100644
--- a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml
+++ b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml
@@ -4,49 +4,49 @@ status: test
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
references:
- - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
+ - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
+ - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
+ - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
+ - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
date: 2019/09/30
-modified: 2021/11/27
+modified: 2022/10/06
logsource:
- category: process_creation
- product: windows
+ category: process_creation
+ product: windows
detection:
- selection:
+ selection1:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
- ParentCommandLine|startswith:
- - 'C:\Windows\System32\'
- - 'C:\Windows\SysWOW64\'
- ParentCommandLine|endswith: '.exe'
- selection2:
- - CommandLine|contains|all:
- - '/c'
- - 'del'
- - 'C:\Users\'
- - '\AppData\Local\Temp\'
- - CommandLine|contains|all:
- - '/c'
- - 'del'
- - 'C:\Users\'
- - '\Desktop\'
- - CommandLine|contains|all:
- - '/C'
- - 'type nul >'
- - 'C:\Users\'
- - '\Desktop\'
- selection3:
- CommandLine|endswith: '.exe'
- condition: selection and selection2 and selection3
+ ParentCommandLine|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ ParentCommandLine|endswith: '.exe'
+ selection2:
+ - CommandLine|contains|all:
+ - '/c'
+ - 'del'
+ - 'C:\Users\'
+ - '\AppData\Local\Temp\'
+ - CommandLine|contains|all:
+ - '/c'
+ - 'del'
+ - 'C:\Users\'
+ - '\Desktop\'
+ - CommandLine|contains|all:
+ - '/C'
+ - 'type nul >'
+ - 'C:\Users\'
+ - '\Desktop\'
+ selection3:
+ CommandLine|endswith: '.exe'
+ condition: all of selection*
fields:
- - CommandLine
- - ParentCommandLine
+ - CommandLine
+ - ParentCommandLine
falsepositives:
- - Unknown
+ - Unknown
level: high
tags:
- - attack.develop_capabilities
- - attack.t1587.001
+ - attack.resource_development
+ - attack.t1587.001
diff --git a/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml b/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml
index 500e0fa24..82d2e0c6d 100644
--- a/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml
+++ b/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml
@@ -1,19 +1,19 @@
title: Suspicious Usage of the Manage-bde.wsf Script
id: c363385c-f75d-4753-a108-c1a8e28bdbda
+status: test
description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
-status: experimental
references:
- https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
- https://twitter.com/bohops/status/980659399495741441
- https://twitter.com/JohnLaTwC/status/1223292479270600706
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
+author: oscd.community, Natalia Shornikova
+date: 2020/10/13
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1216
-date: 2020/10/13
-modified: 2021/05/21
-author: oscd.community, Natalia Shornikova
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
index 59be92668..59e803a37 100644
--- a/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
+++ b/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
@@ -1,13 +1,13 @@
title: Meterpreter or Cobalt Strike Getsystem Service Start
id: 15619216-e993-4721-b590-4c520615a67d
+status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
-status: experimental
-author: Teymur Kheirkhabarov, Ecco, Florian Roth
-date: 2019/10/26
-modified: 2021/05/20
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.t1134.001
@@ -18,7 +18,7 @@ logsource:
detection:
selection_1:
ParentImage|endswith: '\services.exe'
- selection_2:
+ selection_2:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- CommandLine|contains|all:
- 'cmd'
@@ -45,11 +45,11 @@ detection:
filter1:
CommandLine|contains: 'MpCmdRun'
condition: selection_1 and selection_2 and not filter1
-fields:
- - ComputerName
- - User
- - CommandLine
falsepositives:
- Commandlines containing components like cmd accidentally
- Jobs and services started with cmd
level: high
+fields:
+ - ComputerName
+ - User
+ - CommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml
index 81afa4eff..4ef5cffda 100644
--- a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml
+++ b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml
@@ -4,55 +4,61 @@ status: test
description: Detection well-known mimikatz command line arguments
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
references:
- - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- - https://tools.thehacker.recipes/mimikatz/modules
+ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+ - https://tools.thehacker.recipes/mimikatz/modules
date: 2019/10/22
-modified: 2022/02/07
+modified: 2022/10/07
tags:
- - attack.credential_access
- - attack.t1003.001
- - attack.t1003.002
- - attack.t1003.004
- - attack.t1003.005
- - attack.t1003.006
+ - attack.credential_access
+ - attack.t1003.001
+ - attack.t1003.002
+ - attack.t1003.004
+ - attack.t1003.005
+ - attack.t1003.006
logsource:
- category: process_creation
- product: windows
+ category: process_creation
+ product: windows
detection:
- selection_1:
- CommandLine|contains:
- - DumpCreds
- - invoke-mimikatz
- module_names:
- CommandLine|contains:
- - rpc
- - token
- - crypto
- - dpapi
- - sekurlsa
- - kerberos
- - lsadump
- - privilege
- - process
- - vault
- mimikatz_separator:
- CommandLine|contains: '::'
- function_names: # To cover functions from modules that are not in module_names (likely too generic)
- CommandLine|contains:
- - 'aadcookie' #misc module
- - 'detours' #misc module
- - 'memssp' #misc module
- - 'mflt' #misc module
- - 'ncroutemon' #misc module
- - 'ngcsign' #misc module
- - 'printnightmare' #misc module
- - 'skeleton' #misc module
- - 'preshutdown' #service module
- - 'mstsc' #ts module
- - 'multirdp' #ts module
- filter_1:
- CommandLine|contains: 'function Convert-GuidToCompressedGuid'
- condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter*
+ selection_1:
+ CommandLine|contains:
+ - DumpCreds
+ - invoke-mimikatz
+ module_names:
+ CommandLine|contains:
+ - rpc
+ - token
+ - crypto
+ - dpapi
+ - sekurlsa
+ - kerberos
+ - lsadump
+ - privilege
+ - process
+ - vault
+ mimikatz_separator:
+ CommandLine|contains: '::'
+ function_names: # To cover functions from modules that are not in module_names (likely too generic)
+ CommandLine|contains:
+ - 'aadcookie' #misc module
+ - 'detours' #misc module
+ - 'memssp' #misc module
+ - 'mflt' #misc module
+ - 'ncroutemon' #misc module
+ - 'ngcsign' #misc module
+ - 'printnightmare' #misc module
+ - 'skeleton' #misc module
+ - 'preshutdown' #service module
+ - 'mstsc' #ts module
+ - 'multirdp' #ts module
+ filter_1:
+ CommandLine|contains: 'function Convert-GuidToCompressedGuid'
+ filter_vscode:
+ # This FP could occure when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above
+ ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP
+ CommandLine|contains|all:
+ - '/d /s /c '
+ - 'checkfilenameiocs --ioc-path '
+ condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter*
falsepositives:
- - Legitimate Administrator using tool for password recovery
+ - Legitimate Administrator using tool for password recovery
level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml
index e652c7c81..20f221f63 100644
--- a/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml
+++ b/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml
@@ -1,12 +1,12 @@
title: Mounted Windows Admin Shares with net.exe
id: 3abd6094-7027-475f-9630-8ab9be7b9725
-status: experimental
+status: test
description: Detects when an admin share is mounted using net.exe
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga'
date: 2020/10/05
-modified: 2021/06/27
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.t1021.002
diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml
index 41751f51d..8d0415a03 100644
--- a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml
+++ b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml
@@ -1,19 +1,19 @@
title: Netsh Port Forwarding
id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
+status: test
description: Detects netsh commands that configure a port forwarding (PortProxy)
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
+author: Florian Roth, omkar72, oscd.community
date: 2019/01/29
-modified: 2021/06/22
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.command_and_control
- attack.t1090
-status: experimental
-author: Florian Roth, omkar72, oscd.community
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml b/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
index c772b686b..b71fef3fa 100644
--- a/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
+++ b/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
@@ -1,12 +1,12 @@
title: Non Interactive PowerShell
id: f4bbd493-b796-416e-bbf2-121235348529
+status: test
description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
-status: experimental
-date: 2019/09/12
-modified: 2021/05/10
-author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
+date: 2019/09/12
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.001
@@ -17,7 +17,7 @@ detection:
selection:
Image|endswith: '\powershell.exe'
filter:
- ParentImage|endswith:
+ ParentImage|endswith:
- '\explorer.exe'
- '\CompatTelRunner.exe'
condition: selection and not filter
diff --git a/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml b/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml
new file mode 100644
index 000000000..a95004187
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml
@@ -0,0 +1,24 @@
+title: PCHunter Execution
+id: df5daa7b-c2d5-4a4d-972b-5f85febe56bc
+status: experimental
+description: Detects the execution PCHunter based on image and Original File Name fields.
+references:
+ - http://www.xuetr.com/
+ - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+author: Nasreddine Bencherchali
+date: 2022/10/05
+tags:
+ - attack.defense_evasion
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ - Image|endswith:
+ - '\PCHunter32.exe'
+ - '\PCHunter64.exe'
+ - OriginalFileName: 'PCHunter.exe'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml b/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml
new file mode 100644
index 000000000..04acab626
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml
@@ -0,0 +1,26 @@
+title: Use of PDQ Deploy Remote Adminstartion Tool
+id: d679950c-abb7-43a6-80fb-2a480c4fc450
+status: experimental
+description: Detect use of PDQ Deploy remote admin tool
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md
+ - https://www.pdq.com/pdq-deploy/
+author: frack113
+date: 2022/10/01
+tags:
+ - attack.execution
+ - attack.lateral_movement
+ - attack.t1072
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ - Description: PDQ Deploy Console
+ - Product: PDQ Deploy
+ - Company: PDQ.com
+ - OriginalFileName: PDQDeployConsole.exe
+ condition: selection
+falsepositives:
+ - Legitimate use
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml b/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml
index bb111e313..486f21309 100644
--- a/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml
+++ b/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml
@@ -1,13 +1,13 @@
title: Pingback Backdoor
id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
-status: experimental
+status: test
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
-author: Bhabesh Raj
-date: 2021/05/05
-modified: 2021/09/09
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+author: Bhabesh Raj
+date: 2021/05/05
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1574.001
@@ -25,4 +25,4 @@ detection:
condition: selection
falsepositives:
- Very unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml b/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
index d8a7dae29..6f90027b9 100755
--- a/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
+++ b/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
@@ -1,16 +1,16 @@
title: Possible Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
+status: test
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.t1574.011
-status: experimental
-author: Teymur Kheirkhabarov
-date: 2019/10/26
-modified: 2021/09/15
logsource:
product: windows
category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
index 96687d496..eaaa66f8d 100644
--- a/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
+++ b/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
@@ -1,12 +1,12 @@
title: Process Dump via RdrLeakDiag.exe
-id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
+id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
+status: test
description: Detects a process memory dump performed by RdrLeakDiag.exe
-status: experimental
-level: high
references:
- https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
author: Cedric MAURUGEON
date: 2021/09/24
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003.001
@@ -18,5 +18,6 @@ detection:
OriginalFileName: RdrLeakDiag.exe
CommandLine|contains: fullmemdmp
condition: selection
-falsepositives:
+falsepositives:
- Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml
index 0cc35a0af..62346dc31 100644
--- a/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml
+++ b/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml
@@ -1,22 +1,22 @@
title: Proxy Execution via Wuauclt
id: af77cf95-c469-471c-b6a0-946c685c4798
-description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
related:
- id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
type: obsoletes
- id: d7825193-b70a-48a4-b992-8b5b3015cc11
type: obsoletes
-status: experimental
-date: 2020/10/12
-modified: 2021/05/10
+status: test
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
+references:
+ - https://dtm.uk/wuauclt/
+ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team
+date: 2020/10/12
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1218
- attack.execution
-references:
- - https://dtm.uk/wuauclt/
- - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml
index ad770a245..f4adf2757 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml
@@ -1,12 +1,16 @@
title: Reg Add RUN Key
id: de587dce-915e-4218-aac4-835ca6af6f70
+status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
-status: experimental
-date: 2021/06/28
-author: Florian Roth
references:
- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
- https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
+author: Florian Roth
+date: 2021/06/28
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: process_creation
product: windows
@@ -22,6 +26,3 @@ falsepositives:
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml b/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml
index 918ecf848..8330c3d1e 100644
--- a/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml
+++ b/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml
@@ -1,12 +1,12 @@
title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
+status: test
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
-status: experimental
-date: 2019/09/12
-modified: 2021/05/21
-author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.001
@@ -19,10 +19,10 @@ detection:
- Image|endswith: '\wsmprovhost.exe'
- ParentImage|endswith: '\wsmprovhost.exe'
condition: selection
+falsepositives:
+ - Legitimate usage of remote Powershell, e.g. for monitoring purposes.
+level: medium
fields:
- ComputerName
- User
- CommandLine
-falsepositives:
- - Legitimate usage of remote Powershell, e.g. for monitoring purposes.
-level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml b/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml
index 32503402c..f2437ef4c 100644
--- a/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml
+++ b/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml
@@ -1,12 +1,13 @@
title: Remove Windows Defender Definition Files
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
-status: experimental
-author: frack113
-date: 2021/07/07
+status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+author: frack113
+date: 2021/07/07
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -19,12 +20,12 @@ detection:
CommandLine|contains|all:
- ' -RemoveDefinitions'
- ' -All'
- condition: selection
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
-falsepositives:
- - Unknown
-level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml
index 71cf3eae2..7a5069d4d 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml
@@ -1,11 +1,12 @@
title: Renamed MegaSync
id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
-status: experimental
+status: test
description: Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
references:
- https://redcanary.com/blog/rclone-mega-extortion/
author: Sittikorn S
date: 2021/06/22
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1218
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml
index 25cd21fc1..cedf389d6 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml
@@ -1,12 +1,13 @@
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
-status: experimental
+status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth
date: 2021/08/12
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1033
diff --git a/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml b/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml
index 690e026e0..e77d552c0 100644
--- a/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml
+++ b/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml
@@ -3,13 +3,13 @@ id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
-status: experimental
+status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020/10/10
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1553.004
@@ -19,7 +19,7 @@ logsource:
detection:
selection1:
Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der
- CommandLine|contains|all:
+ CommandLine|contains|all:
- '-addstore'
- 'root'
selection2:
diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml
index e7802ec96..04931b319 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml
@@ -1,11 +1,12 @@
title: Rundll32 Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
-status: experimental
+status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
-author: Bartlomiej Czyz, Relativity
-date: 2021/01/31
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
+author: Bartlomiej Czyz, Relativity
+date: 2021/01/31
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.t1021.002
@@ -19,12 +20,12 @@ detection:
selection:
CommandLine: 'rundll32.exe'
condition: selection
+falsepositives:
+ - Unknown
+level: high
fields:
- ComputerName
- SubjectUserName
- CommandLine
- Image
- ParentImage
-falsepositives:
- - Unknown
-level: high
diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml
index e50a66e49..b8af7e3e4 100644
--- a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml
+++ b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml
@@ -1,16 +1,16 @@
title: Possible Shim Database Persistence via sdbinst.exe
id: 517490a7-115a-48c6-8862-1a481504d5a8
-status: experimental
+status: test
description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+author: Markus Neis
+date: 2019/01/16
+modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.011
-author: Markus Neis
-date: 2019/01/16
-modified: 2021/08/14
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml b/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml
index 8cb212b0f..b48c115e4 100644
--- a/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml
+++ b/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml
@@ -1,12 +1,12 @@
title: SILENTTRINITY Stager Execution
id: 03552375-cc2c-4883-bbe4-7958d5a980be
-status: experimental
+status: test
description: Detects SILENTTRINITY stager use
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019/10/22
-modified: 2021/09/19
+modified: 2022/10/09
tags:
- attack.command_and_control
- attack.t1071
@@ -19,4 +19,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_software_discovery.yml b/rules/windows/process_creation/proc_creation_win_software_discovery.yml
index e1abb1d03..43fd9e12f 100755
--- a/rules/windows/process_creation/proc_creation_win_software_discovery.yml
+++ b/rules/windows/process_creation/proc_creation_win_software_discovery.yml
@@ -3,14 +3,14 @@ id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
+status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
-status: experimental
-author: Nikita Nazarov, oscd.community
-date: 2020/10/16
-modified: 2021/09/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1518
diff --git a/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml b/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml
index 2eeba8dcf..8a922f82d 100644
--- a/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml
+++ b/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml
@@ -1,16 +1,15 @@
-title: Suspicious Auditpol Usage
+title: Suspicious Auditpol Usage
id: 0a13e132-651d-11eb-ae93-0242ac130002
-description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
-status: experimental
-author: Janantha Marasinghe (https://github.com/blueteam0ps)
+status: test
+description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021/02/02
-modified: 2021/02/02
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.002
-level: high
logsource:
category: process_creation
product: windows
@@ -18,7 +17,7 @@ detection:
selection_auditpol_binary:
Image|endswith: '\auditpol.exe'
selection_auditpol_command:
- CommandLine|contains:
+ CommandLine|contains:
- 'disable' # disables a specific audit policy
- 'clear' # delete or clears audit policy
- 'remove' # removes an audit policy
@@ -26,3 +25,4 @@ detection:
condition: selection_auditpol_binary and selection_auditpol_command
falsepositives:
- Admin activity
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
index 012b7550c..4302268b3 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
@@ -3,14 +3,14 @@ id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
type: derived
-status: experimental
-author: frack113
-date: 2021/07/13
-modified: 2021/09/07
+status: test
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+author: frack113
+date: 2021/07/13
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1218
@@ -27,11 +27,11 @@ detection:
- '-ScriptBlock '
- '-RemoteFXvGPUDisablementFilePath'
condition: all of selection_*
+falsepositives:
+ - Unknown
+level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
-falsepositives:
- - Unknown
-level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml b/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml
index 1e2238e94..8a9e6a2b3 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml
@@ -1,13 +1,13 @@
title: Possible Ransomware or Unauthorized MBR Modifications
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
-status: experimental
+status: test
description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
references:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019/02/07
-modified: 2021/06/18
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1070
diff --git a/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml b/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml
index dbf90dbf3..1dcd270fe 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml
@@ -1,15 +1,16 @@
title: Suspicious Bitstransfer via PowerShell
id: cd5c8085-4070-4e22-908d-a5b3342deb74
-status: experimental
+status: test
description: Detects transferring files from system on a server bitstransfer Powershell cmdlets
references:
- https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
+author: Austin Songer @austinsonger
+date: 2021/08/19
+modified: 2022/10/09
tags:
- attack.exfiltration
- attack.persistence
- attack.t1197
-date: 2021/08/19
-author: Austin Songer @austinsonger
logsource:
category: process_creation
product: windows
@@ -23,10 +24,10 @@ detection:
- 'Get-BitsTransfer'
- 'Add-BitsFile'
condition: selection
+falsepositives:
+ - Unknown
+level: medium
fields:
- ComputerName
- User
- CommandLine
-falsepositives:
- - Unknown
-level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml
index d532b960e..1925f3a46 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml
@@ -8,7 +8,7 @@ references:
- https://twitter.com/c_APT_ure/status/939475433711722497
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
date: 2018/08/22
-modified: 2022/01/07
+modified: 2022/10/05
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
index 3d683d11e..c04f74a1d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
@@ -6,7 +6,7 @@ references:
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020/10/25
-modified: 2022/09/29
+modified: 2022/10/07
tags:
- attack.defense_evasion
- attack.t1202
@@ -18,11 +18,33 @@ detection:
ParentImage|endswith: '\conhost.exe'
filter_provider:
Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora
+ # Note that some of these git events occure because of a sppofed parent image
filter_git:
# Example FP:
# ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file
+ # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228
Image|endswith: '\git.exe'
- ParentCommandLine|contains: ' show '
+ ParentCommandLine|contains:
+ - ' show --textconv '
+ - ' cat-file -s '
+ filter_git_show:
+ # Example FP:
+ # GrandparentCommandLine: git.exe cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d258
+ # ParentCommandLine: \??\C:\WINDOWS\system32\conhost.exe 0x4
+ # ParentImage: C:\Windows\System32\conhost.exe
+ # CommandLine: git.exe show --textconv :path/to/file
+ ParentCommandLine|contains: 'C:\WINDOWS\system32\conhost.exe 0x4'
+ CommandLine|contains:
+ - ' show --textconv '
+ - ' cat-file -s '
+ filter_image_conhost:
+ # Example FP:
+ # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228
+ ParentCommandLine|contains: ' cat-file -s '
+ Image: C:\Windows\System32\conhost.exe
+ filter_image_conhost2:
+ ParentCommandLine: \??\C:\WINDOWS\system32\conhost.exe 0x4
+ Image: C:\Windows\System32\conhost.exe
condition: selection and not 1 of filter_*
fields:
- Image
diff --git a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml
index 8dcca7ac3..51a99bb43 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml
@@ -1,7 +1,7 @@
title: Suspicious Csc.exe Source File Folder
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
+status: test
description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
-status: experimental
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
@@ -9,7 +9,7 @@ references:
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Florian Roth
date: 2019/08/24
-modified: 2021/02/01
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1027.004
diff --git a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml b/rules/windows/process_creation/proc_creation_win_susp_csexec.yml
index 1334a3a15..c8592afa3 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_csexec.yml
@@ -20,7 +20,7 @@ falsepositives:
- Unknown
level: high
tags:
- - attack.develop_capabilities
+ - attack.resource_development
- attack.t1587.001
- attack.execution
- attack.t1569.002
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml
index 67f7c265e..891a8859d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml
@@ -9,7 +9,7 @@ references:
- https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
date: 2020/07/03
-modified: 2022/09/20
+modified: 2022/09/29
logsource:
category: process_creation
product: windows
@@ -42,10 +42,9 @@ detection:
- '--remote-name'
- '--output'
filter_git_windows:
+ # Example FP
+ # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
- ParentCommandLine|contains|all:
- - 'git-update-git-for-windows'
- - '--quiet --gui'
Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
CommandLine|contains|all:
- '--silent --show-error --output '
diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml
index e29ff857d..92b8e6308 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml
@@ -1,15 +1,15 @@
title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
-status: experimental
+status: test
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
- https://github.com/Neo23x0/Raccine
+author: Florian Roth
+date: 2021/01/21
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.001
-author: Florian Roth
-date: 2021/01/21
-modified: 2021/07/14
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml b/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml
index 58ee30dd1..aed5bdabf 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml
@@ -1,13 +1,14 @@
title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
-status: experimental
-author: sam0x90
-date: 2021/08/06
+status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://attack.mitre.org/software/S0404/
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
+author: sam0x90
+date: 2021/08/06
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003
diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml b/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml
index b140f479a..a8c156788 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml
@@ -1,13 +1,13 @@
title: Suspicious File Characteristics Due to Missing Fields
id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
+status: test
description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
-status: experimental
references:
- https://securelist.com/muddywater/88059/
- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis, Sander Wiebing
date: 2018/11/22
-modified: 2021/06/27
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.006
@@ -27,9 +27,9 @@ detection:
folder:
Image|contains: '\Downloads\'
condition: (selection1 or selection2 or selection3) and folder
-fields:
- - CommandLine
- - ParentCommandLine
falsepositives:
- Unknown
level: medium
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_susp_logoff.yml b/rules/windows/process_creation/proc_creation_win_susp_logoff.yml
new file mode 100644
index 000000000..8a110e0af
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_logoff.yml
@@ -0,0 +1,23 @@
+title: Suspicious Execution of Shutdown to Log Out
+id: ec290c06-9b6b-4338-8b6b-095c0f284f10
+status: experimental
+description: Detects the rare use of the command line tool shutdown to logoff a user
+author: frack113
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
+date: 2022/10/01
+tags:
+ - attack.impact
+ - attack.t1529
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\shutdown.exe'
+ CommandLine|contains: '/l'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml
index 24b1dfcf3..c77da0094 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml
@@ -1,7 +1,7 @@
title: Ngrok Usage
id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
+status: test
description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
-status: experimental
references:
- https://ngrok.com/docs
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
@@ -10,7 +10,7 @@ references:
- https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/.
author: Florian Roth
date: 2021/05/14
-modified: 2021/06/07
+modified: 2022/10/09
tags:
- attack.command_and_control
- attack.t1572
diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
index e8b55f8fe..98e25cc03 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
@@ -4,7 +4,7 @@ status: experimental
description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
author: Max Altgelt
date: 2021/12/09
-modified: 2022/09/20
+modified: 2022/10/07
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
tags:
@@ -83,6 +83,9 @@ detection:
- '\LocalState\rootfs\'
filter_lzma_exe:
Image|endswith: '\LZMA_EXE'
+ filter_windows_helper:
+ ParentImage: C:\Windows\Temp\
+ Image|startswith: 'C:\Windows\Temp\Helper\'
condition: not known_image_extension and not 1 of filter*
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml
index 6124d0ec2..140859c9b 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml
@@ -1,10 +1,10 @@
title: Execution in Outlook Temp Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
-status: experimental
+status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth
date: 2019/10/01
-modified: 2021/06/27
+modified: 2022/10/09
tags:
- attack.initial_access
- attack.t1566.001
@@ -15,9 +15,9 @@ detection:
selection:
Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
-fields:
- - CommandLine
- - ParentCommandLine
falsepositives:
- Unknown
level: high
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_susp_plink_remote_forward.yml b/rules/windows/process_creation/proc_creation_win_susp_plink_remote_forward.yml
index da9ca8e0b..a33d595fc 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_plink_remote_forward.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_plink_remote_forward.yml
@@ -1,12 +1,13 @@
title: Suspicious Plink Remote Forwarding
id: 48a61b29-389f-4032-b317-b30de6b95314
-status: experimental
+status: test
description: Detects suspicious Plink tunnel remote forarding to a local port
references:
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
author: Florian Roth
date: 2021/01/19
+modified: 2022/10/09
tags:
- attack.command_and_control
- attack.t1572
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml
index 623460262..1aca33703 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml
@@ -1,11 +1,12 @@
title: PowerShell Get-Process LSASS
id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
+status: test
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
-status: experimental
references:
- https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth
date: 2021/04/23
+modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1552.004
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml
index 972ce610d..36bed23c8 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml
@@ -1,4 +1,4 @@
-title: PsExec/PAExec Flags
+title: PsExec/PAExec Flags
id: 207b0396-3689-42d9-8399-4222658efc99
status: experimental
description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
@@ -8,30 +8,32 @@ references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth
date: 2021/05/22
-modified: 2021/11/23
+modified: 2022/10/06
logsource:
category: process_creation
product: windows
detection:
- selection_flags_1: # Escalation to LOCAL_SYSTEM
- CommandLine|endswith:
+ selection_flags_1:
+ # Escalation to LOCAL_SYSTEM
+ CommandLine|endswith:
- ' -s cmd.exe'
- ' -s -i cmd.exe'
selection_flags_2:
- CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks
+ # Accepting EULA in commandline - often used in automated attacks
+ CommandLine|contains|all:
- 'accepteula'
- ' -u '
- ' -p '
- ' \\'
filter:
- CommandLine|contains:
+ CommandLine|contains:
- 'paexec'
- 'PsExec'
- condition: ( selection_flags_1 or selection_flags_2 ) and not filter
+ condition: 1 of selection_flags_* and not filter
falsepositives:
- Weird admins that rename their tools
- - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
+ - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
tags:
- - attack.develop_capabilities
+ - attack.resource_development
- attack.t1587.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml
index 9e29faf26..63cd4722c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml
@@ -1,13 +1,13 @@
title: Suspicious RazerInstaller Explorer Subprocess
id: a4eaf250-7dc1-4842-862a-5e71cd59a167
-status: experimental
+status: test
description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
references:
- https://twitter.com/j0nh4t/status/1429049506021138437
- https://streamable.com/q2dsji
author: Florian Roth, Maxime Thiebaut
date: 2021/08/23
-modified: 2021/08/24
+modified: 2022/10/09
tags:
- attack.privilege_escalation
- attack.t1553
@@ -23,4 +23,4 @@ detection:
condition: selection and not filter
falsepositives:
- User selecting a different installation folder (check for other sub processes of this explorer.exe process)
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml
index b210e6045..9aff7aa42 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml
@@ -1,24 +1,25 @@
title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
+status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
-status: experimental
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth
date: 2021/05/27
+modified: 2022/10/09
+tags:
+ - attack.privilege_escalation
+ - attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
- ParentImage|endswith:
+ ParentImage|endswith:
- '\TrustedInstaller.exe'
- '\ProcessHacker.exe'
condition: selection
falsepositives:
- Unlikely
level: high
-tags:
- - attack.privilege_escalation
- - attack.t1548
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml
index 06c4680f6..5481c15ad 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml
@@ -1,12 +1,15 @@
title: Renamed PAExec
id: c4e49831-1496-40cf-8ce1-b53f942b02f9
-status: experimental
+status: test
description: Detects suspicious renamed PAExec execution as often used by attackers
references:
- https://www.poweradmin.com/paexec/
author: Florian Roth
date: 2021/05/22
-modified: 2021/07/06
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1202
logsource:
category: process_creation
product: windows
@@ -16,14 +19,11 @@ detection:
selection2:
OriginalFileName: 'PAExec.exe'
filter:
- Image|endswith:
+ Image|endswith:
- '\PAexec.exe'
- '\paexec.exe'
condition: ( selection1 or selection2 ) and not filter
falsepositives:
- Weird admins that rename their tools
- - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
+ - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
level: high
-tags:
- - attack.defense_evasion
- - attack.t1202
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml
index 7018898a6..69a1bbe9d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml
@@ -1,17 +1,21 @@
title: Suspicious Rundll32 Invoking Inline VBScript
id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
+status: test
description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
-status: experimental
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth
date: 2021/03/05
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
+ CommandLine|contains|all:
- 'rundll32.exe'
- 'Execute'
- 'RegRead'
@@ -20,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1055
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml
index c060afcb2..6b2780776 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml
@@ -1,14 +1,15 @@
title: Suspicious Rundll32 Activity Invoking Sys File
id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
+status: test
description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
-status: experimental
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+author: Florian Roth
+date: 2021/03/05
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1218.011
-author: Florian Roth
-date: 2021/03/05
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml
index a01fb65c1..a69936f32 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml
@@ -1,10 +1,17 @@
title: Scheduled Task Creation
id: 92626ddd-662c-49e3-ac59-f6535f12d189
-status: experimental
+status: test
description: Detects the creation of scheduled tasks in user session
author: Florian Roth
date: 2019/01/16
-modified: 2021/08/26
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1053.005
+ - attack.s0111
+ - car.2013-08-001
logsource:
category: process_creation
product: windows
@@ -17,17 +24,10 @@ detection:
- 'AUTHORI'
- 'AUTORI'
condition: selection and not filter
-fields:
- - CommandLine
- - ParentCommandLine
-tags:
- - attack.execution
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1053.005
- - attack.s0111
- - car.2013-08-001
falsepositives:
- Administrative activity
- Software installation
level: low
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml
index 65fda53ba..171843cfd 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml
@@ -1,30 +1,31 @@
title: Suspicious Scheduled Task Creation Involving Temp Folder
id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
-status: experimental
+status: test
description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
-author: Florian Roth
-date: 2021/03/11
references:
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
+author: Florian Roth
+date: 2021/03/11
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.persistence
+ - attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
- CommandLine|contains|all:
+ CommandLine|contains|all:
- ' /create '
- ' /sc once '
- '\Temp\'
condition: selection
-fields:
- - CommandLine
- - ParentCommandLine
-tags:
- - attack.execution
- - attack.persistence
- - attack.t1053.005
falsepositives:
- Administrative activity
- Software installation
level: high
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml b/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml
index d146d9dca..df35d9cc5 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml
@@ -1,11 +1,15 @@
title: ScreenConnect Remote Access
id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
-status: experimental
+status: test
description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)
references:
- https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
-author: Florian Roth
+author: Florian Roth
date: 2021/02/11
+modified: 2022/10/09
+tags:
+ - attack.initial_access
+ - attack.t1133
logsource:
category: process_creation
product: windows
@@ -21,6 +25,3 @@ detection:
falsepositives:
- Legitimate use by administrative staff
level: high
-tags:
- - attack.initial_access
- - attack.t1133
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml
index f435334e9..e06bb4d1b 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml
@@ -1,23 +1,27 @@
title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
+status: test
description: Detects a service binary running in a suspicious directory
-author: Florian Roth
-date: 2021/03/09
-status: experimental
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
+author: Florian Roth
+date: 2021/03/09
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains:
+ Image|contains:
- '\Users\Public\'
- '\$Recycle.bin'
- '\Users\All Users\'
- '\Users\Default\'
- '\Users\Contacts\'
- - '\Users\Searches\'
+ - '\Users\Searches\'
- 'C:\Perflogs\'
- '\config\systemprofile\'
- '\Windows\Fonts\'
@@ -30,6 +34,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1202
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
index 25032789c..688ad4185 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
@@ -1,19 +1,20 @@
title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
id: 75578840-9526-4b2a-9462-af469a45e767
-status: experimental
-description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
-author: Florian Roth
-date: 2021/07/14
+status: test
+description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
-logsource:
- category: process_creation
- product: windows
+author: Florian Roth
+date: 2021/07/14
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1136.001
- cve.2021.35211
# - threat_group.DEV-0322
+logsource:
+ category: process_creation
+ product: windows
detection:
selection1:
CommandLine|contains: 'whoami'
diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
index db86b29f6..cf9a4fc30 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
@@ -1,17 +1,17 @@
title: Malicious PE Execution by Microsoft Visual Studio Debugger
id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
-status: experimental
+status: test
description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
references:
- https://twitter.com/pabraeken/status/990758590020452353
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
- https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
+date: 2020/10/14
+modified: 2022/10/09
tags:
- attack.t1218
- attack.defense_evasion
-author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
-date: 2020/10/14
-modified: 2021/07/06
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
index 589daabf4..708b03cef 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
@@ -1,12 +1,15 @@
title: Suspicious Userinit Child Process
id: b655a06a-31c0-477a-95c2-3726b83d649d
-status: experimental
+status: test
description: Detects a suspicious child process of userinit
references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (rule), Samir Bousseaden (idea)
date: 2019/06/17
-modified: 2021/09/28
+modified: 2022/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1055
logsource:
category: process_creation
product: windows
@@ -19,12 +22,9 @@ detection:
- Image|endswith: '\explorer.exe'
- ImageFileName: 'explorer.exe'
condition: selection and not 1 of filter*
-fields:
- - CommandLine
- - ParentCommandLine
falsepositives:
- Administrative scripts
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1055
\ No newline at end of file
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml
index cc1721cc0..e7225b837 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml
@@ -1,11 +1,15 @@
title: Suspicious VBScript UN2452 Pattern
id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
+status: test
description: Detects suspicious inline VBScript keywords as used by UNC2452
-status: experimental
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth
date: 2021/03/05
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: process_creation
product: windows
@@ -23,6 +27,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1547.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml
index 416b8f301..8bc386ef5 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml
@@ -1,11 +1,12 @@
title: Disabled Volume Snapshots
id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
+status: test
description: Detects commands that temporarily turn off Volume Snapshots
references:
- https://twitter.com/0gtweet/status/1354766164166115331
-date: 2021/01/28
-status: experimental
author: Florian Roth
+date: 2021/01/28
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -17,7 +18,7 @@ detection:
CommandLine|contains|all:
- 'reg'
- ' add '
- - '\Services\VSS\Diag'
+ - '\Services\VSS\Diag'
- '/d Disabled'
condition: selection
falsepositives:
diff --git a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml
index ef3327d7d..0c90ca94d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml
@@ -1,13 +1,13 @@
title: Windows Suspicious Use Of Web Request in CommandLine
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
-status: experimental
+status: test
description: Detects the use of various web request with commandline tools or Windows PowerShell command,methods (including aliases)
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
author: James Pemberton / @4A616D6573
date: 2019/10/24
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1059.001
@@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml
index bfd2f6cf6..00c5f08b2 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml
@@ -1,12 +1,12 @@
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
+status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
-status: experimental
references:
- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020/10/06
-modified: 2021/09/19
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1216
@@ -14,19 +14,19 @@ logsource:
category: process_creation
product: windows
detection:
- contains_format_pretty_arg:
+ contains_format_pretty_arg:
CommandLine|contains:
- 'format:pretty'
- 'format:"pretty"'
- 'format:"text"'
- 'format:text'
image_from_system_folder:
- Image|startswith:
+ Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
contains_winrm:
CommandLine|contains: 'winrm'
condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
-level: medium
falsepositives:
- Unlikely
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml
index 17d3021c5..3cb02c08d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml
@@ -1,12 +1,16 @@
title: Suspicious WMIC ActiveScriptEventConsumer Creation
id: ebef4391-1a81-4761-a40a-1db446c0e625
-status: experimental
+status: test
description: Detects WMIC executions in which a event consumer gets created in order to establish persistence
references:
- https://twitter.com/johnlatwc/status/1408062131321270282?s=12
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
author: Florian Roth
date: 2021/06/25
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1546.003
logsource:
category: process_creation
product: windows
@@ -16,12 +20,9 @@ detection:
- 'ActiveScriptEventConsumer'
- ' CREATE '
condition: selection
-fields:
- - CommandLine
- - ParentCommandLine
-tags:
- - attack.persistence
- - attack.t1546.003
falsepositives:
- Legitimate software creating script event consumers
level: high
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml b/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml
index 24acf955a..d761577c2 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml
@@ -3,13 +3,13 @@ id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
-status: experimental
-author: frack113
-date: 2021/07/20
-modified: 2021/09/07
+status: test
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
+author: frack113
+date: 2021/07/20
+modified: 2022/10/09
tags:
- attack.collection
- attack.t1074.001
diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml b/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml
index 505f7d952..c4e4c0e21 100644
--- a/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml
+++ b/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml
@@ -1,20 +1,20 @@
title: Sysmon Driver Unload
id: 4d7cda18-1b12-4e52-b45c-d28653210df8
-status: experimental
-author: Kirill Kiryanov, oscd.community
+status: test
description: Detect possible Sysmon driver unload
-date: 2019/10/23
-modified: 2021/09/27
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
-logsource:
- product: windows
- category: process_creation
+author: Kirill Kiryanov, oscd.community
+date: 2019/10/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1070
- attack.t1562
- attack.t1562.002
+logsource:
+ product: windows
+ category: process_creation
detection:
selection:
Image|endswith: '\fltmc.exe'
@@ -22,7 +22,7 @@ detection:
- 'unload'
- 'sys'
condition: selection
-falsepositives:
+falsepositives:
- Unknown
level: high
fields:
diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml
index b461488fb..00f0cd47c 100644
--- a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml
@@ -2,15 +2,15 @@ title: UAC Bypass via Event Viewer
id: be344333-921d-4c4d-8bb8-e584cf584780
related:
- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
- type: derived
-status: experimental
+ type: derived
+status: test
description: Detects UAC bypass method using Windows event viewer
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth
date: 2017/03/19
-modified: 2021/09/12
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -25,9 +25,9 @@ detection:
filterprocess:
Image|endswith: '\mmc.exe'
condition: methprocess and not filterprocess
+falsepositives:
+ - Unknown
+level: high
fields:
- CommandLine
- ParentCommandLine
-falsepositives:
- - Unknown
-level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml
index 19e5917e1..04a83dcbb 100644
--- a/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml
+++ b/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Tools Using ComputerDefaults
id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
+status: test
description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
-author: Christian Burkard
-date: 2021/08/31
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/31
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/process_creation/proc_creation_win_trust_discovery.yml b/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
index b26ce392c..9c443a2ff 100644
--- a/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
+++ b/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
@@ -1,19 +1,19 @@
title: Domain Trust Discovery
id: 3bad990e-4848-4a78-9530-b427d854aac0
related:
- - id: 77815820-246c-47b8-9741-e0def3f57308
- type: obsoletes
+ - id: 77815820-246c-47b8-9741-e0def3f57308
+ type: obsoletes
+status: test
description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
-status: experimental
-author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72
-date: 2019/10/24
-modified: 2021/07/09
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72
+date: 2019/10/24
+modified: 2022/10/09
tags:
- attack.discovery
- attack.t1482
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml
index 35c63c90e..403f458c6 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml
@@ -1,13 +1,14 @@
title: UAC Bypass Using ChangePK and SLUI
id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
+status: test
description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
- https://github.com/hfiref0x/UACME
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -20,8 +21,8 @@ detection:
Image|endswith: '\changepk.exe'
ParentImage|endswith: '\slui.exe'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml
index b2e34b5f2..996a7be80 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using Disk Cleanup
id: b697e69c-746f-4a86-9f59-7bfff8eab881
+status: test
description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -18,8 +19,8 @@ detection:
CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:'
ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml
index 201451abf..c2fd21940 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using Consent and Comctl32 - Process
id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085
+status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -18,8 +19,8 @@ detection:
ParentImage|endswith: '\consent.exe'
Image|endswith: '\werfault.exe'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml
index 64e8fe82c..8c6f655a7 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using DismHost
id: 853e74f9-9392-4935-ad3b-2e8c040dae86
+status: test
description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -20,8 +21,8 @@ detection:
- '\AppData\Local\Temp\'
- '\DismHost.exe'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml
index 2db105f41..f05355a62 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using IEInstal - Process
id: 80fc36aa-945e-4181-89f2-2f907ab6775d
+status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -16,8 +17,8 @@ logsource:
detection:
selection:
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
ParentImage|endswith: '\ieinstal.exe'
Image|contains: '\AppData\Local\Temp\'
Image|endswith: 'consent.exe'
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml
index 96e43028e..cc833b1cb 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using MSConfig Token Modification - Process
id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
+status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -16,8 +17,8 @@ logsource:
detection:
selection:
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe'
CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
condition: selection
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml
index 720da7520..5168dac7f 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using NTFS Reparse Point - Process
id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
+status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -18,13 +19,13 @@ detection:
CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\'
CommandLine|endswith: '\AppData\Local\Temp\update.msu'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
selection2:
ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\Temp\'
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml
index 75d1a14d8..8969c1e7b 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using PkgMgr and DISM
id: a743ceba-c771-4d75-97eb-8a90f7f4844c
+status: test
description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -18,8 +19,8 @@ detection:
ParentImage|endswith: '\pkgmgr.exe'
Image|endswith: '\dism.exe'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml
index 5350f745c..31b9b9b11 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Abusing Winsat Path Parsing - Process
id: 7a01183d-71a2-46ad-ad5c-acd989ac1793
+status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-author: Christian Burkard
-date: 2021/08/30
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -16,8 +17,8 @@ logsource:
detection:
selection:
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe'
ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe'
condition: selection
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml
index df9bfe071..90998f3f6 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml
@@ -1,11 +1,12 @@
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
+status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://github.com/hfiref0x/UACME
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -17,14 +18,14 @@ detection:
selection1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
selection2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
condition: 1 of selection*
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml
index 8e4707a93..fc048cf4e 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml
@@ -1,13 +1,14 @@
title: UAC Bypass WSReset
id: 89a9a0e0-f61a-42e5-8957-b1479565a658
+status: test
description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
references:
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
- https://github.com/hfiref0x/UACME
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+author: Christian Burkard
+date: 2021/08/23
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -19,8 +20,8 @@ detection:
selection:
Image|endswith: '\wsreset.exe'
IntegrityLevel:
- - 'High'
- - 'System'
+ - 'High'
+ - 'System'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_ultravnc.yml b/rules/windows/process_creation/proc_creation_win_ultravnc.yml
new file mode 100644
index 000000000..3c574547f
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_ultravnc.yml
@@ -0,0 +1,24 @@
+title: Use of UltraVNC Remote Access Software
+id: 145322e4-0fd3-486b-81ca-9addc75736d8
+status: experimental
+description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
+author: frack113
+date: 2022/10/02
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ - Description: VNCViewer
+ - Product: UltraVNC VNCViewer
+ - Company: UltraVNC
+ - OriginalFileName: VNCViewer.exe
+ condition: selection
+falsepositives:
+ - Legitimate use
+level: medium
+tags:
+ - attack.command_and_control
+ - attack.t1219
diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml
index 916c40b48..eaf5a2257 100644
--- a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml
+++ b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml
@@ -1,11 +1,12 @@
title: Uninstall Crowdstrike Falcon
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
-status: experimental
-author: frack113
-date: 2021/07/12
+status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
+author: frack113
+date: 2021/07/12
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -19,11 +20,11 @@ detection:
- ' /uninstall'
- ' /quiet'
condition: selection
+falsepositives:
+ - Uninstall by admin
+level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
-falsepositives:
- - Uninstall by admin
-level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml b/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml
index 59c7fc5b5..3073658cb 100644
--- a/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml
+++ b/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml
@@ -1,15 +1,15 @@
title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad8568612f
-status: experimental
+status: test
description: Detects the Installation of a Exchange Transport Agent
references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-tags:
- - attack.persistence
- - attack.t1505.002
-author: Tobias Michalski
+author: Tobias Michalski
date: 2021/06/08
-modified: 2021/09/19
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1505.002
logsource:
product: windows
category: process_creation
@@ -21,4 +21,4 @@ falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
fields:
- - AssemblyPath
\ No newline at end of file
+ - AssemblyPath
diff --git a/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml b/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml
index ddda0270e..b6684a5b4 100644
--- a/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml
+++ b/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml
@@ -1,13 +1,13 @@
title: Microsoft Workflow Compiler
id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
-status: experimental
+status: test
description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
-author: Nik Seetharaman, frack113
-date: 2019/01/16
-modified: 2021/07/13
references:
- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
+author: Nik Seetharaman, frack113
+date: 2019/01/16
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.execution
@@ -23,9 +23,9 @@ detection:
OriginalFileName: 'Microsoft.Workflow.Compiler.exe'
CommandLine|contains: '.xml'
condition: selection or selection_t1218
-fields:
- - CommandLine
- - ParentCommandLine
falsepositives:
- Legitimate MWC use (unlikely in modern enterprise environments)
level: high
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml
index e9c902311..5321cd422 100644
--- a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml
+++ b/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml
@@ -1,13 +1,16 @@
title: Ursnif
id: 21f17060-b282-4249-ade0-589ea3591558
-status: experimental
+status: test
description: Detects new registry key created by Ursnif malware.
references:
- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
author: megan201296
date: 2019/02/13
-modified: 2021/06/26
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.t1112
logsource:
product: windows
category: registry_add
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1112
\ No newline at end of file
diff --git a/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml
index 36a523e37..15a839943 100644
--- a/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml
+++ b/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml
@@ -3,25 +3,13 @@ id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
+status: test
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
-status: experimental
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
-date: 2018/03/23
-modified: 2021/09/19
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-logsource:
- category: registry_event
- product: windows
-detection:
- selection_reg1:
- TargetObject|endswith:
- - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
- condition: selection_reg1
-falsepositives:
- - Unknown
-level: critical
+date: 2018/03/23
+modified: 2022/10/09
tags:
- attack.persistence
- attack.g0049
@@ -31,4 +19,16 @@ tags:
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- - attack.t1071.004
\ No newline at end of file
+ - attack.t1071.004
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection_reg1:
+ TargetObject|endswith:
+ - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+ - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+ condition: selection_reg1
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml b/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml
index 26311a8cc..536f47761 100644
--- a/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml
+++ b/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml
@@ -1,12 +1,15 @@
title: Leviathan Registry Key Activity
id: 70d43542-cd2d-483c-8f30-f16b436fd7db
-status: experimental
+status: test
description: Detects registry key used by Leviathan APT in Malaysian focused campaign
references:
- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
author: Aidan Bracher
date: 2020/07/07
-modified: 2021/09/13
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_event
product: windows
@@ -15,6 +18,3 @@ detection:
TargetObject: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
condition: selection
level: critical
-tags:
- - attack.persistence
- - attack.t1547.001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml
index 1c92e0558..5eda45dde 100755
--- a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml
+++ b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml
@@ -1,16 +1,16 @@
title: OceanLotus Registry Activity
id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
-status: experimental
+status: test
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
- https://github.com/eset/malware-ioc/tree/master/oceanlotus
+author: megan201296, Jonhnathan Ribeiro
+date: 2019/04/14
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1112
-author: megan201296, Jonhnathan Ribeiro
-date: 2019/04/14
-modified: 2021/09/17
logsource:
category: registry_event
product: windows
diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
index ee4a492b2..51ec57316 100755
--- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
+++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
@@ -1,16 +1,16 @@
title: Pandemic Registry Key
id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
-status: experimental
+status: test
description: Detects Pandemic Windows Implant
references:
- https://wikileaks.org/vault7/#Pandemic
- https://twitter.com/MalwareJake/status/870349480356454401
+author: Florian Roth
+date: 2017/06/01
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.t1105
-author: Florian Roth
-date: 2017/06/01
-modified: 2021/09/12
logsource:
category: registry_event
product: windows
@@ -27,4 +27,4 @@ fields:
- ParentCommandLine
- Image
- User
- - TargetObject
\ No newline at end of file
+ - TargetObject
diff --git a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml
index 159ec0360..d9f20e6c5 100644
--- a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml
+++ b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml
@@ -1,27 +1,27 @@
title: FlowCloud Malware
id: 5118765f-6657-4ddb-a487-d7bd673abbf1
-status: experimental
+status: test
description: Detects FlowCloud malware from threat group TA410.
references:
- - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
+ - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
author: NVISO
-tags:
- - attack.persistence
- - attack.t1112
date: 2020/06/09
-modified: 2021/07/22
+modified: 2022/10/09
+tags:
+ - attack.persistence
+ - attack.t1112
logsource:
- product: windows
- category: registry_event
+ product: windows
+ category: registry_event
detection:
- selection:
- - TargetObject:
- - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- - TargetObject|startswith:
- - 'HKLM\SYSTEM\Setup\PrintResponsor\'
- condition: selection
+ selection:
+ - TargetObject:
+ - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
+ - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
+ - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
+ - TargetObject|startswith:
+ - 'HKLM\SYSTEM\Setup\PrintResponsor\'
+ condition: selection
falsepositives:
- - Unknown
+ - Unknown
level: critical
diff --git a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
index 6ded1f970..669c834f4 100644
--- a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
+++ b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
@@ -1,41 +1,41 @@
-title: PrinterNightmare Mimimkatz Driver Name
+title: PrinterNightmare Mimimkatz Driver Name
id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
-status: experimental
+status: test
description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
references:
- - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
- - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
- - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
+ - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
+ - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
+ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
author: Markus Neis, @markus_neis, Florian Roth
-tags:
- - attack.execution
- - attack.t1204
- - cve.2021.1675
- - cve.2021.34527
date: 2021/07/04
-modified: 2021/07/28
+modified: 2022/10/09
+tags:
+ - attack.execution
+ - attack.t1204
+ - cve.2021.1675
+ - cve.2021.34527
logsource:
- product: windows
- category: registry_event
+ product: windows
+ category: registry_event
detection:
- selection:
- TargetObject|contains:
- - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
- - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
- selection_alt:
- TargetObject|contains|all:
- - 'legitprinter'
- - '\Control\Print\Environments\Windows'
- selection_print:
- TargetObject|contains:
- - '\Control\Print\Environments'
- - '\CurrentVersion\Print\Printers'
- selection_kiwi:
- TargetObject|contains:
- - 'Gentil Kiwi'
- - 'mimikatz printer'
- - 'Kiwi Legit Printer'
- condition: selection or selection_alt or (selection_print and selection_kiwi)
+ selection:
+ TargetObject|contains:
+ - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
+ - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
+ selection_alt:
+ TargetObject|contains|all:
+ - 'legitprinter'
+ - '\Control\Print\Environments\Windows'
+ selection_print:
+ TargetObject|contains:
+ - '\Control\Print\Environments'
+ - '\CurrentVersion\Print\Printers'
+ selection_kiwi:
+ TargetObject|contains:
+ - 'Gentil Kiwi'
+ - 'mimikatz printer'
+ - 'Kiwi Legit Printer'
+ condition: selection or selection_alt or (selection_print and selection_kiwi)
falsepositives:
- - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
+ - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical
diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
index c275f908c..83117c156 100644
--- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
+++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
@@ -1,12 +1,12 @@
title: NetNTLM Downgrade Attack
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
+status: test
description: Detects NetNTLM downgrade attack
-status: experimental
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth, wagga
date: 2018/03/20
-modified: 2021/09/21
+modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1562.001
diff --git a/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml b/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml
index 601ba1c9d..fb47e5c69 100644
--- a/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml
+++ b/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml
@@ -1,15 +1,15 @@
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
-status: experimental
+status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
- https://attack.mitre.org/techniques/T1137/002/
author: omkar72
+date: 2020/10/25
+modified: 2022/10/09
tags:
- attack.persistence
- attack.t1137.002
-date: 2020/10/25
-modified: 2021/09/13
logsource:
category: registry_event
product: windows
diff --git a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml
index dfea626f0..8b792b800 100644
--- a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml
+++ b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml
@@ -1,19 +1,19 @@
title: PortProxy Registry Key
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
-status: experimental
+status: test
description: Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
+author: Andreas Hunkeler (@Karneades)
date: 2021/06/22
-modified: 2021/09/13
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.command_and_control
- attack.t1090
-author: Andreas Hunkeler (@Karneades)
logsource:
category: registry_event
product: windows
diff --git a/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml b/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml
index d68b3dfef..42e1bef70 100644
--- a/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml
+++ b/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml
@@ -1,12 +1,12 @@
title: Suspicious Camera and Microphone Access
id: 62120148-6b7a-42be-8b91-271c04e281a3
+status: test
description: Detects Processes accessing the camera and microphone from suspicious folder
-status: experimental
-author: Den Iuzvyk
-date: 2020/06/07
-modified: 2021/09/17
references:
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+author: Den Iuzvyk
+date: 2020/06/07
+modified: 2022/10/09
tags:
- attack.collection
- attack.t1125
diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
index 0a9c32a50..6fcac7a54 100644
--- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
+++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
@@ -3,7 +3,7 @@ id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
author: frack113
date: 2022/01/05
-modified: 2022/03/26
+modified: 2022/10/05
status: experimental
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
@@ -16,7 +16,7 @@ detection:
EventType: SetValue
TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
filter:
- Details: '%SystemRoot%\system32\mmc.exe "%1" %*'
+ Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml b/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml
index b00064de3..773a80299 100644
--- a/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml
+++ b/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml
@@ -1,23 +1,24 @@
title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3
-status: experimental
+status: test
description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
-author: Sittikorn S
references:
- - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
- - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
+ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
+ - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
+author: Sittikorn S
date: 2020/05/31
-logsource:
- product: windows
- category: registry_set
-detection:
- selection:
- EventType: SetValue
- TargetObject|startswith: 'HKCR\ms-msdt\'
- condition: selection
-falsepositives:
- - Unknown
-level: medium
+modified: 2022/10/09
tags:
- - attack.defense_evasion
- - attack.t1221
+ - attack.defense_evasion
+ - attack.t1221
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|startswith: 'HKCR\ms-msdt\'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml
new file mode 100644
index 000000000..c61f90cd5
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml
@@ -0,0 +1,23 @@
+title: Disable Privacy Settings Experience in Registry
+id: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b
+status: experimental
+description: Detects registry modifications that disable Privacy Settings Experience
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
+author: frack113
+date: 2022/10/02
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience'
+ Details: 'DWORD (0x00000000)'
+ condition: selection
+falsepositives:
+ - Legitimate admin script
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
index 94600a1c2..d68048b45 100644
--- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
+++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
@@ -6,7 +6,7 @@ references:
- https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
author: frack113, Florian Roth
date: 2022/03/17
-modified: 2022/03/26
+modified: 2022/10/06
logsource:
category: registry_set
product: windows
@@ -22,11 +22,13 @@ detection:
- '.DownloadFile('
- '.DownloadString('
- ' -w hidden '
+ - '-windowstyle hidden'
- ' -nop '
- ' -encodedcommand '
+ - '-ExecutionPolicy Bypass'
condition: selection
falsepositives:
- - Legitimate admin script
+ - Legitimate admin or third party scripts
level: medium
tags:
- attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml
new file mode 100644
index 000000000..e3bf63b89
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml
@@ -0,0 +1,31 @@
+title: Newly Registered Protocol Handler
+id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
+description: Detects when a new custom protocole handler is registered
+status: experimental
+date: 2022/05/30
+author: Nasreddine Bencherchali
+references:
+ - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ TargetObject|startswith: 'HKCR\'
+ Details|startswith: 'URL:'
+ filter_trusted:
+ - Details|startswith: 'URL:ms-' # Microsoft Protocols usualy start with "ms-"
+ - Image|startswith: # Add more folders to avoid FP
+ - 'C:\Program Files\'
+ - 'C:\Program Files (x86)'
+ - 'C:\Windows\'
+ #filter_specific:
+ # Uncomment This section to add specific Protocol Handler names that are know
+ # Details: 'URL:'
+ condition: selection and not 1 of filter_*
+falsepositives:
+ - Legitimate applications registering a new custom protocol handler
+level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml
new file mode 100644
index 000000000..e3220eb05
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml
@@ -0,0 +1,25 @@
+title: Modify User Shell Folders Startup Value
+id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
+description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
+status: experimental
+date: 2022/10/01
+author: frack113
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|contains: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
+ TargetObject|endswith: 'Startup' # cover Common Startup and Startup
+ # can use Details|contains: path if get too many FP
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1547.001
diff --git a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
index 9a22b547a..79fd1de9a 100644
--- a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
+++ b/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
@@ -1,29 +1,29 @@
title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
id: e554f142-5cf3-4e55-ace9-a1b59e0def65
+status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
-status: experimental
-date: 2020/10/12
-modified: 2021/06/27
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
+date: 2020/10/12
+modified: 2022/10/09
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1021.003
-references:
- - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
logsource:
product: windows
service: sysmon
detection:
- selection_one:
+ selection_one:
EventID: 11
Image: System
TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
- selection_two:
+ selection_two:
EventID: 7
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: selection_one or selection_two
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml
index 768c43705..cd2eb1610 100644
--- a/rules/windows/sysmon/sysmon_process_hollowing.yml
+++ b/rules/windows/sysmon/sysmon_process_hollowing.yml
@@ -6,10 +6,11 @@ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
date: 2022/01/25
modified: 2022/02/01
references:
- - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
- - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
+ - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
+ - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
tags:
- - attack.process_injection
+ - attack.defense_evasion
+ - attack.privilege_escalation
- attack.t1055.012
logsource:
product: windows
@@ -18,7 +19,7 @@ detection:
selection:
Type: Image is replaced
filters:
- Image|contains:
+ Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)'
Image|endswith:
diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml
index 5388798cb..5cc7e9a4b 100644
--- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml
+++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml
@@ -1,11 +1,12 @@
title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
-status: experimental
+status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
-author: Florian Roth
references:
- https://github.com/RiccardoAncarani/LiquidSnake
+author: Florian Roth
date: 2021/09/01
+modified: 2022/10/09
tags:
- attack.execution
- attack.t1047
@@ -21,9 +22,9 @@ detection:
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
-fields:
- - User
- - Operation
falsepositives:
- Unknown
level: high
+fields:
+ - User
+ - Operation