diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml index 9d1c44697..d94bfd9a4 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml @@ -10,6 +10,8 @@ modified: 2023/05/08 tags: - cve.2021.26858 - detection.emerging_threats + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml index b1c10e460..ced6e84b8 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml @@ -10,6 +10,8 @@ modified: 2023/01/02 tags: - cve.2021.40539 - detection.emerging_threats + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml index b4052a4f3..3e1920597 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -10,6 +10,10 @@ modified: 2022/12/25 tags: - cve.2021.42287 - detection.emerging_threats + - attack.defense_evasion + - attack.persistence + - attack.t1036 + - attack.t1098 logsource: product: windows service: security diff --git a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml index 880a90460..2ad066df4 100644 --- a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml +++ b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml @@ -9,6 +9,13 @@ date: 2022/02/25 modified: 2023/02/08 tags: - detection.emerging_threats + - attack.execution + - attack.defense_evasion + - attack.impact + - attack.t1485 + - attack.t1498 + - attack.t1059.001 + - attack.t1140 logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml index 06dfd9bbf..f98212870 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml @@ -13,6 +13,8 @@ author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems) date: 2023/07/28 tags: - cve.2023.27997 + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml index 095bfd685..6032d2de3 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml @@ -11,6 +11,8 @@ modified: 2023/07/28 tags: - cve.2023.34362 - detection.emerging_threats + - attack.persistence + - attack.t1505.003 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml index fa155845f..08fd3e661 100644 --- a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml +++ b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml @@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2023/01/21 tags: - detection.emerging_threats + - attack.initial_access + - attack.t1190 logsource: category: process_creation product: windows diff --git a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index 2610b6ae7..e6337afbc 100644 --- a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems) date: 2021/10/16 modified: 2022/12/25 +tags: + - attack.execution + - attack.t1059.004 logsource: product: linux category: network_connection diff --git a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml index d10b57430..4bb860662 100644 --- a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml +++ b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml @@ -6,6 +6,9 @@ references: - https://www.poolwatch.io/coin/monero author: Florian Roth (Nextron Systems) date: 2021/10/26 +tags: + - attack.impact + - attack.t1496 logsource: product: linux category: network_connection diff --git a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index 12aec6df0..3d998d06c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems) date: 2021/10/26 modified: 2022/12/25 +tags: + - attack.impact + - attack.t1496 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/rules/linux/process_creation/proc_creation_lnx_nohup.yml index 4c9de4eee..948a348c1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -8,6 +8,9 @@ references: - https://www.computerhope.com/unix/unohup.htm author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022/06/06 +tags: + - attack.execution + - attack.t1059.004 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml index 6e1f53c00..c0ac903fa 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -9,6 +9,9 @@ references: - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023/06/02 +tags: + - attack.defense_evasion + - attack.t1036 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index f2f0dccec..f4d1b9094 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -6,6 +6,11 @@ references: - Internal Research author: Florian Roth (Nextron Systems) date: 2022/03/14 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059.004 + - attack.t1036 logsource: product: linux category: process_creation diff --git a/rules/web/product/apache/web_apache_threading_error.yml b/rules/web/product/apache/web_apache_threading_error.yml index f13feedd5..3fe9c383f 100644 --- a/rules/web/product/apache/web_apache_threading_error.yml +++ b/rules/web/product/apache/web_apache_threading_error.yml @@ -7,6 +7,11 @@ references: author: Florian Roth (Nextron Systems) date: 2019/01/22 modified: 2021/11/27 +tags: + - attack.initial_access + - attack.lateral_movement + - attack.t1190 + - attack.t1210 logsource: service: apache definition: 'Requirements: Must be able to collect the error.log file' diff --git a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml index 109cf51ab..362580333 100644 --- a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml +++ b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml @@ -14,6 +14,8 @@ modified: 2023/01/19 tags: - cve.2022.26134 - cve.2021.26084 + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: diff --git a/rules/web/webserver_generic/web_jndi_exploit.yml b/rules/web/webserver_generic/web_jndi_exploit.yml index 72ddf0a1d..83c9ac28d 100644 --- a/rules/web/webserver_generic/web_jndi_exploit.yml +++ b/rules/web/webserver_generic/web_jndi_exploit.yml @@ -1,13 +1,16 @@ title: JNDIExploit Pattern id: 412d55bc-7737-4d25-9542-5b396867ce55 status: test -description: Detects exploitation attempt using the JDNIExploiit Kit +description: Detects exploitation attempt using the JNDI-Exploit-Kit references: - https://github.com/pimps/JNDI-Exploit-Kit - https://githubmemory.com/repo/FunctFan/JNDIExploit author: Florian Roth (Nextron Systems) date: 2021/12/12 modified: 2022/12/25 +tags: + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: diff --git a/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml b/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml index 70b2603b4..365b3d6d6 100644 --- a/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml +++ b/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml @@ -10,6 +10,9 @@ references: author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems) date: 2020/02/22 modified: 2022/07/25 +tags: + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: diff --git a/rules/web/webserver_generic/web_ssti_in_access_logs.yml b/rules/web/webserver_generic/web_ssti_in_access_logs.yml index 101db7caf..1f9fdd6c1 100644 --- a/rules/web/webserver_generic/web_ssti_in_access_logs.yml +++ b/rules/web/webserver_generic/web_ssti_in_access_logs.yml @@ -7,6 +7,9 @@ references: - https://github.com/payloadbox/ssti-payloads author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/14 +tags: + - attack.defense_evasion + - attack.t1221 logsource: category: webserver detection: diff --git a/rules/web/webserver_generic/web_xss_in_access_logs.yml b/rules/web/webserver_generic/web_xss_in_access_logs.yml index 2ded5b59d..661e0a038 100644 --- a/rules/web/webserver_generic/web_xss_in_access_logs.yml +++ b/rules/web/webserver_generic/web_xss_in_access_logs.yml @@ -8,6 +8,9 @@ references: author: Saw Win Naung, Nasreddine Bencherchali date: 2021/08/15 modified: 2022/06/14 +tags: + - attack.initial_access + - attack.t1189 logsource: category: webserver detection: diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 99647a350..1bd94c8fd 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -7,6 +7,9 @@ references: author: frack113 date: 2022/02/19 modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 041c8d71e..1d65268cc 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -11,6 +11,9 @@ references: author: frack113 date: 2023/02/26 modified: 2023/05/30 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index 6a8c83109..2a06a1d55 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -7,6 +7,9 @@ references: author: frack113 date: 2022/02/19 modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index e273afad9..df4255c1f 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -7,6 +7,9 @@ references: author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/01/17 modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 901228600..fa5a3a3f6 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -7,6 +7,9 @@ references: author: frack113 date: 2022/02/19 modified: 2023/06/12 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 41c42ba6e..3bd155fc1 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -7,6 +7,9 @@ references: author: frack113 date: 2022/02/19 modified: 2023/01/17 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index 6b57a6622..e196c2624 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -7,6 +7,9 @@ references: author: frack113 date: 2022/02/19 modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index 9bac61aa0..afd7c90d2 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -7,6 +7,9 @@ references: author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/02/19 modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml index 011382766..8f2c34367 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml @@ -13,6 +13,9 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 author: Alexandr Yampolskyi, SOC Prime date: 2023/04/26 +tags: + - attack.persistence + - attack.t1098 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml index 23511c4d3..f6a26ca42 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml @@ -13,6 +13,9 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 author: Alexandr Yampolskyi, SOC Prime date: 2023/04/26 +tags: + - attack.persistence + - attack.t1098 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml index b0e95803d..6cdded1b3 100644 --- a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml +++ b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml @@ -13,6 +13,9 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 author: Alexandr Yampolskyi, SOC Prime date: 2023/04/26 +tags: + - attack.persistence + - attack.t1098 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml index b09d42450..59f4f325a 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml @@ -6,6 +6,10 @@ references: - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf author: Max Altgelt (Nextron Systems) date: 2022/04/06 +tags: + - attack.defense_evasion + - attack.lateral_movement + - attack.t1550 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_add_remove_computer.yml b/rules/windows/builtin/security/win_security_add_remove_computer.yml index 2a9b53f76..61eeeb52b 100644 --- a/rules/windows/builtin/security/win_security_add_remove_computer.yml +++ b/rules/windows/builtin/security/win_security_add_remove_computer.yml @@ -8,6 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743 author: frack113 date: 2022/10/14 +tags: + - attack.defense_evasion + - attack.t1207 logsource: service: security product: windows diff --git a/rules/windows/builtin/security/win_security_admin_logon.yml b/rules/windows/builtin/security/win_security_admin_logon.yml index 75235c36b..cdab695bc 100644 --- a/rules/windows/builtin/security/win_security_admin_logon.yml +++ b/rules/windows/builtin/security/win_security_admin_logon.yml @@ -9,6 +9,13 @@ references: author: frack113 date: 2022/10/14 modified: 2022/10/22 +tags: + - attack.defense_evasion + - attack.lateral_movement + - attack.credential_access + - attack.t1558 + - attack.t1649 + - attack.t1550 logsource: service: security product: windows diff --git a/rules/windows/builtin/security/win_security_device_installation_blocked.yml b/rules/windows/builtin/security/win_security_device_installation_blocked.yml index 4c8336193..6061a29aa 100644 --- a/rules/windows/builtin/security/win_security_device_installation_blocked.yml +++ b/rules/windows/builtin/security/win_security_device_installation_blocked.yml @@ -7,6 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423 author: frack113 date: 2022/10/14 +tags: + - attack.initial_access + - attack.t1200 logsource: service: security product: windows diff --git a/rules/windows/builtin/security/win_security_replay_attack_detected.yml b/rules/windows/builtin/security/win_security_replay_attack_detected.yml index baae47629..c45ecaf55 100644 --- a/rules/windows/builtin/security/win_security_replay_attack_detected.yml +++ b/rules/windows/builtin/security/win_security_replay_attack_detected.yml @@ -7,6 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649 author: frack113 date: 2022/10/14 +tags: + - attack.credential_access + - attack.t1558 logsource: service: security product: windows diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml index 62049c326..4d50d1bbb 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml @@ -6,6 +6,9 @@ references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) date: 2022/05/09 +tags: + - attack.defense_evasion + - attack.t1027 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml index 6c494561c..cf0bac018 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml @@ -6,6 +6,12 @@ references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) date: 2022/05/09 +tags: + - attack.command_and_control + - attack.defense_evasion + - attack.t1027 + - attack.t1105 + - attack.t1036 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml index ca222a38f..e897e5b38 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml @@ -6,6 +6,11 @@ references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) date: 2022/05/09 +tags: + - attack.defense_evasion + - attack.initial_access + - attack.t1027 + - attack.t1566.001 logsource: product: windows service: security diff --git a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml index 771b72aec..0699b73a2 100644 --- a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml @@ -10,6 +10,10 @@ references: author: Tim Shelton date: 2022/01/10 modified: 2022/12/02 +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml index a6c96523f..8a71f6b97 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml @@ -11,6 +11,9 @@ references: - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ author: Florian Roth (Nextron Systems) date: 2022/02/11 +tags: + - attack.initial_access + - attack.t1566.001 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index 4cc8f3f91..ccd80c664 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems) date: 2021/11/20 modified: 2023/03/29 +tags: + - attack.execution + - attack.t1059 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index c3d0b3929..2255408e8 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -10,6 +10,9 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 modified: 2023/03/14 +tags: + - attack.defense_evasion + - attack.t1036 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml index d6d82c8c7..93624a285 100644 --- a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems) date: 2021/12/07 modified: 2022/08/13 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml index 91c393cd3..698d16a94 100644 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -8,6 +8,9 @@ references: author: frack113 date: 2022/02/19 modified: 2023/01/02 +tags: + - attack.defense_evasion + - attack.t1036.008 logsource: product: windows category: file_rename diff --git a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml index 64f9a0536..ce77a895e 100644 --- a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml +++ b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml @@ -7,6 +7,9 @@ references: - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east author: Florian Roth (Nextron Systems) date: 2022/04/20 +tags: + - attack.command_and_control + - attack.t1105 logsource: category: network_connection product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index c19f028db..fd1f82017 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -6,6 +6,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 author: frack113 date: 2022/12/25 +tags: + - attack.defense_evasion + - attack.t1620 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml index 71738e1b2..a74722799 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -10,6 +10,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 author: frack113 date: 2022/12/25 +tags: + - attack.command_and_control + - attack.t1105 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index d9bcf8a6b..13adc62bf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -9,6 +9,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 date: 2022/12/23 +tags: + - attack.command_and_control + - attack.t1132.001 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index aa42855b6..56b3043b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -11,6 +11,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 date: 2022/12/23 +tags: + - attack.defense_evasion + - attack.t1553.004 logsource: product: windows category: ps_script diff --git a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml index 8ec78a828..c5f6118b2 100644 --- a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml @@ -7,6 +7,9 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace author: Florian Roth (Nextron Systems) date: 2021/12/28 +tags: + - attack.discovery + - attack.t1082 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml index 143ea8040..cca1a3226 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml @@ -10,6 +10,18 @@ references: author: Florian Roth (Nextron Systems) date: 2022/02/25 modified: 2023/03/08 +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.credential_access + - attack.discovery + - attack.t1047 + - attack.t1053 + - attack.t1059.003 + - attack.t1059.001 + - attack.t1110 + - attack.t1201 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index c3d2696ae..3ea7a774b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -7,6 +7,10 @@ references: author: Florian Roth (Nextron Systems) date: 2022/03/04 modified: 2023/02/04 +tags: + - attack.credential_access + - attack.t1588.002 + - attack.t1003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index 45f7c6edb..e00829046 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -8,6 +8,10 @@ references: author: Florian Roth (Nextron Systems) date: 2022/04/27 modified: 2023/02/04 +tags: + - attack.credential_access + - attack.t1588.002 + - attack.t1003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 302f855db..39da0d883 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -9,6 +9,14 @@ references: author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/10/10 modified: 2023/02/13 +tags: + - attack.execution + - attack.discovery + - attack.t1082 + - attack.t1057 + - attack.t1012 + - attack.t1083 + - attack.t1007 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml b/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml index 1a36b1f82..713560145 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems), Microsoft (idea) date: 2022/08/04 modified: 2023/01/23 +tags: + - attack.persistence + - attack.t1505.004 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml index 6346928bd..a09b031f6 100644 --- a/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml @@ -6,6 +6,9 @@ references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth (Nextron Systems) date: 2022/08/26 +tags: + - attack.lateral_movement + - attack.t1210 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml index 4a61856b4..8b36a9301 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml @@ -6,6 +6,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 +tags: + - attack.command_and_control + - attack.t1105 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml index 3e95a15ab..ebe241db3 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -7,6 +7,14 @@ references: author: Tim Shelton (HAWK.IO) date: 2021/12/09 modified: 2023/02/21 +tags: + - attack.defense_evasion + - attack.initial_access + - attack.persistence + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1078 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml index ebb8e4659..234522a84 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml @@ -6,6 +6,9 @@ references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran date: 2023/03/13 +tags: + - attack.command_and_control + - attack.t1132.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml index 0943424f9..816c457b4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -10,6 +10,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 author: frack113 date: 2022/12/25 +tags: + - attack.command_and_control + - attack.t1105 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml index 5e1824a34..f62086100 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -7,6 +7,11 @@ references: author: Florian Roth (Nextron Systems) date: 2022/03/24 modified: 2023/01/05 +tags: + - attack.command_and_control + - attack.execution + - attack.t1059.001 + - attack.t1105 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml index 207807e7b..39bcefd19 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml @@ -6,6 +6,11 @@ references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Florian Roth (Nextron Systems), Hieu Tran date: 2023/03/13 +tags: + - attack.command_and_control + - attack.execution + - attack.t1059.001 + - attack.t1105 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml index 5efafcdfc..93be2928f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -6,6 +6,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 author: frack113 date: 2022/12/25 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml index c4ecbb9ed..0ad8ddbc4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -11,6 +11,11 @@ references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/18 +tags: + - attack.credential_access + - attack.execution + - attack.t1552.004 + - attack.t1059.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 24390ceea..3d3dc52ea 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -9,6 +9,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 date: 2022/12/23 +tags: + - attack.command_and_control + - attack.t1132.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml index 13e2d5b22..17c30c21d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems) date: 2022/03/24 modified: 2022/11/28 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml index ae53790f7..e35a26994 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml @@ -7,6 +7,9 @@ references: author: Max Altgelt (Nextron Systems) date: 2022/04/06 modified: 2022/07/14 +tags: + - attack.execution + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 2e913cdca..62b0471b5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems), Tim Shelton date: 2022/04/26 modified: 2023/05/30 +tags: + - attack.execution + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml index d941ae9fe..4c039671b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -11,6 +11,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 date: 2022/12/23 +tags: + - attack.defense_evasion + - attack.t1553.004 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index 2d394c13e..495145207 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -13,6 +13,13 @@ references: author: Florian Roth (Nextron Systems) date: 2022/01/20 modified: 2023/02/21 +tags: + - attack.execution + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1564.003 + - attack.t1134.002 + - attack.t1059.003 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index 48859f0cb..db0eda6db 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -13,6 +13,10 @@ references: author: Florian Roth (Nextron Systems) date: 2022/01/20 modified: 2023/02/21 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1134.002 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index 250f354b1..bcbe37797 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -11,6 +11,14 @@ references: author: Florian Roth (Nextron Systems) date: 2022/10/10 modified: 2023/05/08 +tags: + - attack.defense_evasion + - attack.discovery + - attack.persistence + - attack.privilege_escalation + - attack.t1622 + - attack.t1564 + - attack.t1543 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index 53add6771..e7fe73930 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -9,6 +9,14 @@ references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) date: 2023/05/08 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.discovery + - attack.defense_evasion + - attack.t1082 + - attack.t1564 + - attack.t1543 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml index 2c0d5561e..1d109b63a 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml @@ -7,6 +7,9 @@ references: author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) date: 2022/01/13 modified: 2023/03/24 +tags: + - attack.defense_evasion + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index 4892a1a1e..c1eae40a6 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -7,6 +7,11 @@ references: author: pH-T (Nextron Systems) date: 2022/07/15 modified: 2023/02/03 +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml index e0579d345..d19ec1e2e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -8,6 +8,10 @@ references: author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2021/12/27 modified: 2022/08/02 +tags: + - attack.command_and_control + - attack.t1105 + - attack.t1608 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml index 32484460d..7dfbf4f90 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml @@ -7,6 +7,11 @@ references: author: Florian Roth (Nextron Systems) date: 2022/02/25 modified: 2022/11/18 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1564 + - attack.t1059 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml index da9dc0996..392250f9d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml @@ -9,6 +9,9 @@ references: author: Florian Roth (Nextron Systems) date: 2023/01/18 modified: 2023/01/21 +tags: + - attack.command_and_control + - attack.t1102 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml index 4591730e4..d8bc452d4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml @@ -8,6 +8,9 @@ references: author: Florian Roth (Nextron Systems) date: 2022/03/21 modified: 2022/09/08 +tags: + - attack.defense_evasion + - attack.t1036 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_progname.yml b/rules/windows/process_creation/proc_creation_win_susp_progname.yml index 17d273aba..0fb1e74e8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_progname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_progname.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems) date: 2022/02/11 modified: 2023/03/22 +tags: + - attack.execution + - attack.t1059 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml index e216cb8ff..684726501 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml @@ -8,6 +8,9 @@ references: author: Florian Roth (Nextron Systems) date: 2022/01/16 modified: 2022/09/09 +tags: + - attack.exfiltration + - attack.t1048 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 2f91b2cf3..c04053cc5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -8,6 +8,13 @@ references: author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021/12/20 modified: 2023/01/19 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1134 + - attack.t1003 + - attack.t1027 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 1c6d465ab..31fc12b12 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -13,7 +13,10 @@ author: Florian Roth (Nextron Systems) date: 2022/10/14 modified: 2023/08/23 tags: - - attack.execution + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 + - attack.t1036 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index f88d67421..85992dacd 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -7,6 +7,9 @@ references: author: Florian Roth (Nextron Systems) date: 2022/02/26 modified: 2022/05/13 +tags: + - attack.defense_evasion + - attack.t1036 logsource: category: process_creation product: windows