Revert "att&ck tags review: windows/process_creation part 5"

This reverts commit e94c47e74e.
2020-09-07 01:28:08 +04:00
parent e94c47e74e
commit 7ae76b8d99
26 changed files with 45 additions and 98 deletions
@@ -5,7 +5,7 @@ description: Detects a Powershell process that contains download commands in its
 author: Florian Roth
 date: 2019/01/16
 tags:
-    - attack.t1086  # an old one
+    - attack.t1086
    - attack.execution
    - attack.t1059.001
 logsource:
@@ -6,12 +6,9 @@ references:
    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
 author: Florian Roth
 date: 2020/01/29
-modified: 2020/09/06
 tags: 
    - attack.t1027
    - attack.defense_evasion
-    - attack.t1140
-    - attack.t1059.001
 logsource:
    category: process_creation
    product: windows
@@ -6,7 +6,7 @@ references:
    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
 tags:
    - attack.execution
-    - attack.t1086 # an old one
+    - attack.t1086
    - attack.t1059.001
 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
 date: 2019/01/16
@@ -4,13 +4,11 @@ description: Detects suspicious powershell process which includes bxor command,
 status: experimental
 author: Sami Ruohonen, Harish Segar (improvement)
 date: 2018/09/05
-modified: 2020/09/06
+modified: 2020/06/29
 tags:
-    - attack.defense_evasion
-    - attack.t1086 # an old one
+    - attack.execution
+    - attack.t1086
    - attack.t1059.001
-    - attack.t1140
-    - attack.t1027
 logsource:
    category: process_creation
    product: windows
@@ -25,8 +25,8 @@ tags:
    - attack.execution
    - attack.persistence
    - attack.privilege_escalation
-    - attack.t1053 # an old one
-    - attack.t1086 # an old one
+    - attack.t1053
+    - attack.t1086
    - attack.s0111
    - attack.g0022
    - attack.g0060
@@ -9,12 +9,10 @@ references:
    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
    - https://attack.mitre.org/techniques/T1036/
 date: 2019/02/23
-modified: 2020/09/06
+modified: 2019/08/20
 tags:
    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
-    - attack.t1036.005
+    - attack.t1036
 logsource:
    category: process_creation
    product: windows
@@ -10,9 +10,8 @@ tags:
    - attack.persistence
    - attack.t1197
    - attack.s0190
-    - attack.t1036.003
 date: 2017/03/09
-modified: 2020/09/06
+modified: 2019/12/06
 author: Michael Haag
 logsource:
    category: process_creation
@@ -6,10 +6,11 @@ references:
    - https://twitter.com/shantanukhande/status/1229348874298388484
 author: Florian Roth
 date: 2020/02/18
-modified: 2020/09/06
 tags:
+    - attack.defense_evasion
+    - attack.t1036
    - attack.credential_access
-    - attack.t1003 # an old one
+    - attack.t1003
    - car.2013-05-009
    - attack.t1003.001
 logsource:
@@ -6,7 +6,7 @@ date: 2018/03/13
 modified: 2012/12/11
 tags:
    - attack.execution
-    - attack.t1035 # an old one
+    - attack.t1035
    - attack.s0029
    - attack.t1569.002
 logsource:
@@ -4,13 +4,9 @@ description: Detects RDP session hijacking by using MSTSC shadowing
 status: experimental
 author: Florian Roth
 date: 2020/01/24
-modified: 2020/09/06
 references:
    - https://twitter.com/kmkz_security/status/1220694202301976576
    - https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet
-tags:
-    - attack.lateral_movement
-    - attack.t1563.002
 logsource:
    category: process_creation
    product: windows
@@ -5,14 +5,10 @@ references:
    - https://redmimicry.com
 author: Alexander Rausch
 date: 2020/06/24
-modified: 2020/09/06
 tags:
    - attack.execution
-    - attack.defense_evasion
-    - attack.t1059 # an old one
+    - attack.t1059
    - attack.t1106
-    - attack.t1059.003
-    - attack.t1218.011
 logsource:
    product: windows
    category: process_creation
@@ -3,13 +3,13 @@ id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
 description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
 status: experimental
 date: 2019/09/12
-modified: 2020/09/06
+modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
-    - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-190511223310.yaml
+    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
 tags:
    - attack.execution
-    - attack.t1086 # an old one
+    - attack.t1086
    - attack.t1059.001
 logsource:
    category: process_creation
@@ -4,15 +4,14 @@ status: experimental
 description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
 author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
 date: 2019/06/15
-modified: 2020/09/06
+modified: 2019/11/11
 references:
    - https://attack.mitre.org/techniques/T1036/
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
 tags:
+    - attack.t1036
    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
 logsource:
    category: process_creation
    product: windows
@@ -4,15 +4,13 @@ status: experimental
 description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
 author: Matthew Green - @mgreen27, Florian Roth
 date: 2019/06/15
-modified: 2020/09/06
 references:
    - https://attack.mitre.org/techniques/T1036/
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
 tags:
+    - attack.t1036
    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
 logsource:
    category: process_creation
    product: windows
@@ -5,14 +5,10 @@ description: Detects renamed jusched.exe used by cobalt group
 references:
    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
 tags:
+    - attack.t1036 
    - attack.execution
-    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
-
 author: Markus Neis, Swisscom
 date: 2019/06/04
-modified: 2020/09/06
 logsource:
    category: process_creation
    product: windows
@@ -7,12 +7,10 @@ references:
    - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
 tags:
    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
+    - attack.t1036
    - FIN7
    - car.2013-05-009
 date: 2019/04/17
-modified: 2020/09/06
 author: Jason Lynch 
 falsepositives:
    - Unknown imphashes
@@ -6,12 +6,8 @@ references:
    - https://twitter.com/christophetd/status/1164506034720952320
 author: Florian Roth
 date: 2019/08/22
-modified: 2020/09/06
 tags:
    - car.2013-05-009
-    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
 logsource:
    product: windows
    category: process_creation
@@ -6,11 +6,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
 author: Florian Roth
 date: 2019/11/18
-modified: 2020/09/06
 tags:
    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
+    - attack.t1036
 logsource:
    product: windows
    category: process_creation
@@ -6,12 +6,8 @@ references:
    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
 author: Florian Roth
 date: 2019/05/21
-modified: 2020/09/06
 tags:
    - car.2013-05-009
-    - attack.defense_evasion
-    - attack.t1036 # an old one
-    - attack.t1036.003
 logsource:
    product: windows
    category: process_creation
@@ -8,7 +8,7 @@ author: Sergey Soldatov, Kaspersky Lab, oscd.community
 date: 2019/10/30
 tags:
    - attack.defense_evasion
-    - attack.t1096 # an old one
+    - attack.t1096
    - attack.t1564.004
 logsource:
    category: process_creation
@@ -6,12 +6,10 @@ references:
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 tags:
    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1138 # an old one
+    - attack.t1138
    - attack.t1546.011
 author: Markus Neis
 date: 2019/01/16
-modified: 2020/09/06
 logsource:
    category: process_creation
    product: windows
@@ -4,7 +4,7 @@ status: experimental
 description: Detects manual service execution (start) via system utilities
 author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/21
-modified: 2020/09/06
+modified: 2019/11/04
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
 logsource:
@@ -15,7 +15,6 @@ detection:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
-            - '\sc.exe'
        CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression 
    condition: selection
 falsepositives:
@@ -23,5 +22,5 @@ falsepositives:
 level: low
 tags:
    - attack.execution
-    - attack.t1035 # an old one
+    - attack.t1035
    - attack.t1569.002
@@ -7,7 +7,7 @@ references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
    - attack.credential_access
-    - attack.t1003 # an old one
+    - attack.t1003
    - attack.t1003.002
    - attack.t1003.003
 logsource:
@@ -6,14 +6,13 @@ references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 author: Florian Roth
 date: 2018/04/06
-modified: 2020/09/06
+modified: 2019/02/05
 tags:
    - attack.execution
    - attack.defense_evasion
-    - attack.t1064 # an old one
+    - attack.t1064
    - attack.t1059.005
    - attack.t1059.001
-    - attack.t1218
 logsource:
    category: process_creation
    product: windows
@@ -7,16 +7,24 @@ references:
    - https://github.com/byt3bl33d3r/SILENTTRINITY
 author: Aleksey Potapov, oscd.community
 date: 2019/10/22
-modified: 2020/09/06
+modified: 2019/11/04
 tags:
-    - attack.command_and_control
-level: high
-logsource:
-    category: process_creation
-    product: windows
+    - attack.execution
 detection:
    selection:
        Description|contains: 'st2stager'
    condition: selection
 falsepositives:
    - unknown
+level: high
+---
+logsource:
+    category: process_creation
+    product: windows
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
@@ -1,23 +0,0 @@
-action: global
-title: SILENTTRINITY Stager Execution
-id: 03552375-cc2c-4883-bbe4-7958d5a980be
-status: experimental
-description: Detects SILENTTRINITY stager use
-references:
-    - https://github.com/byt3bl33d3r/SILENTTRINITY
-author: Aleksey Potapov, oscd.community
-date: 2019/10/22
-modified: 2020/09/06
-tags:
-    - attack.command_and_control
-level: high
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-        Description|contains: 'st2stager'
-    condition: selection
-falsepositives:
-    - unknown