att&ck tags review: windows/process_creation part 9

rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml

@@ -7,13 +7,12 @@ references:
     - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 tags:
     - attack.lateral_movement
-    - attack.privilege_escalation
-    - attack.t1076
+    - attack.t1563.002
+    - attack.t1076      # an old one
     - car.2013-07-002
-    - attack.t1021.001
 author: Florian Roth
 date: 2018/03/17
-modified: 2018/12/11
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_sysmon_driver_unload.yml

@@ -4,12 +4,15 @@ status: experimental
 author: Kirill Kiryanov, oscd.community
 description: Detect possible Sysmon driver unload
 date: 2019/10/23
-modified: 2019/11/07
+modified: 2020/08/29
 references:
     - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
 logsource:
     product: windows
     category: process_creation
+tags:
+    - attack.defense_evasion
+    - attack.t1070
 detection:
     selection:
         Image|endswith: '\fltmc.exe'

rules/windows/process_creation/win_task_folder_evasion.yml

@@ -6,14 +6,16 @@ references:
     - https://twitter.com/subTee/status/1216465628946563073
     - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
 date: 2020/01/13
+modified: 2020/08/29
 author: Sreeman
 tags:
-    - attack.t1064
-    - attack.t1211
-    - attack.t1059
     - attack.defense_evasion
     - attack.persistence
-    - attack.t1059.005
+    - attack.execution
+    - attack.t1574.002
+    - attack.t1059  # an old one
+    - attack.t1064  # an old one
+
 logsource:
     product: Windows
 detection:

rules/windows/process_creation/win_termserv_proc_spawn.yml

@@ -6,7 +6,12 @@ references:
     - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
 author: Florian Roth
 date: 2019/05/22
+modified: 2020/08/29
 tags:
+    - attack.initial_access 
+    - attack.t1190
+    - attack.lateral_movement
+    - attack.t1210
     - car.2013-07-002
 logsource:
     product: windows
@@ -19,5 +24,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Unknown
-level: high
-
+level: high

rules/windows/process_creation/win_uac_cmstp.yml

@@ -3,18 +3,18 @@ id: e66779cc-383e-4224-a3a4-267eeb585c40
 description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
 status: experimental
 author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-modified: 2019/11/11
 date: 2019/10/24
+modified: 2020/08/29
 references:
     - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
 tags:
+    - attack.privilege_escalation
     - attack.defense_evasion
-    - attack.execution
-    - attack.t1191
-    - attack.t1088
     - attack.t1548.002
-    - attack.t1218
+    - attack.t1218.003
+    - attack.t1191      # an old one
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_uac_fodhelper.yml

@@ -10,8 +10,8 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
 tags:
     - attack.privilege_escalation
-    - attack.t1088
     - attack.t1548.002
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_uac_wsreset.yml

@@ -9,8 +9,8 @@ references:
     - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
 tags:
     - attack.privilege_escalation
-    - attack.t1088
     - attack.t1548.002
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml

@@ -5,12 +5,14 @@ references:
     - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
     - https://pentestlab.blog/2017/03/30/weak-service-permissions/
 tags:
+    - attack.persistence
+    - attack.defence_evasion
     - attack.privilege_escalation
-    - attack.t1134
+    - attack.t1574.011
 status: experimental
 author: Teymur Kheirkhabarov
 date: 2019/10/26
-modified: 2019/11/11
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_vul_java_remote_debugging.yml

@@ -3,9 +3,7 @@ id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
 description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
 author: Florian Roth
 date: 2019/01/16
-tags:
-    - attack.discovery
-    - attack.t1046
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_webshell_detection.yml

@@ -7,10 +7,10 @@ reference:
 date: 2017/01/01
 modified: 2019/10/26
 tags:
-    - attack.privilege_escalation
     - attack.persistence
-    - attack.t1100
     - attack.t1505.003
+    - attack.privilege_escalation       # an old one
+    - attack.t1100      # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_webshell_recon_detection.yml

@@ -7,10 +7,10 @@ reference:
     - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
 date: 2020/07/22
 tags:
-    - attack.privilege_escalation
     - attack.persistence
-    - attack.t1100
     - attack.t1505.003
+    - attack.privilege_escalation       # an old one
+    - attack.t1100      # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_webshell_spawn.yml

@@ -27,10 +27,10 @@ fields:
     - CommandLine
     - ParentCommandLine
 tags:
-    - attack.privilege_escalation
     - attack.persistence
-    - attack.t1100
     - attack.t1505.003
+    - attack.privilege_escalation       # an old one
+    - attack.t1100      # an old one
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high

rules/windows/process_creation/win_whoami_as_system.yml

@@ -8,8 +8,8 @@ author: Teymur Kheirkhabarov
 date: 2019/10/23
 modified: 2019/11/11
 tags:
-    - attack.discovery
     - attack.privilege_escalation
+    - attack.discovery    
     - attack.t1033
 logsource:
     category: process_creation

rules/windows/process_creation/win_win10_sched_task_0day.yml

@@ -6,6 +6,7 @@ references:
     - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
 author: Olaf Hartong
 date: 2019/05/22
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows
@@ -18,8 +19,7 @@ falsepositives:
     - Unknown
 tags:
     - attack.privilege_escalation
-    - attack.execution
-    - attack.t1053
-    - car.2013-08-001
     - attack.t1053.005
+    - attack.t1053      # an old one
+    - car.2013-08-001
 level: high

rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml

@@ -12,8 +12,8 @@ logsource:
     product: windows
 tags:
     - attack.persistence
-    - attack.t1084
     - attack.t1546.003
+    - attack.t1084      # an old one
 detection:
     selection:
         ParentImage: '*\EdgeTransport.exe'

rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml

@@ -6,10 +6,12 @@ references:
     - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 author: Thomas Patzke
 date: 2018/03/07
+modified: 2020/08/29
 tags:
-    - attack.execution
     - attack.persistence
-    - attack.t1047
+    - attack.privilege_escalation
+    - attack.t1546.003
+    - attack.t1047 # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_wmi_spwns_powershell.yml

@@ -7,11 +7,13 @@ references:
     - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
 author: Markus Neis / @Karneades
 date: 2019/04/03
+modified: 2020/08/29
 tags:
     - attack.execution
-    - attack.defense_evasion
-    - attack.t1064
+    - attack.t1047
     - attack.t1059.001
+    - attack.defense_evasion # an old one
+    - attack.t1064      # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_wsreset_uac_bypass.yml

@@ -8,11 +8,12 @@ references:
     - https://twitter.com/ReaQta/status/1222548288731217921
 author: Florian Roth
 date: 2020/01/30
+modified: 2020/08/29
 tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1088
+    - attack.privilege_escalation
+    - attack.defense_evasion 
     - attack.t1548.002
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_xsl_script_processing.yml

@@ -22,5 +22,6 @@ falsepositives:
     - msxsl.exe is not installed by default so unlikely.
 level: medium
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1220
+    - attack.execution # an old one