From 7ae76b8d9906d3c33ed7a2c6bd276777560fa2d2 Mon Sep 17 00:00:00 2001 From: e6e6e Date: Mon, 7 Sep 2020 01:28:08 +0400 Subject: [PATCH] Revert "att&ck tags review: windows/process_creation part 5" This reverts commit e94c47e74ebd8d96839c91cebc868cd792c3e6da. --- .../win_powershell_download.yml | 2 +- .../win_powershell_frombase64string.yml | 3 --- ...ershell_suspicious_parameter_variation.yml | 2 +- .../win_powershell_xor_commandline.yml | 8 +++---- .../win_powersploit_empire_schtasks.yml | 4 ++-- .../win_proc_wrong_parent.yml | 6 ++--- ...in_process_creation_bitsadmin_download.yml | 3 +-- .../win_process_dump_rundll32_comsvcs.yml | 5 ++-- .../process_creation/win_psexesvc_start.yml | 2 +- .../win_rdp_hijack_shadowing.yml | 4 ---- .../win_redmimicry_winnti_proc.yml | 6 +---- .../win_remote_powershell_session_process.yml | 6 ++--- .../process_creation/win_renamed_binary.yml | 5 ++-- .../win_renamed_binary_highly_relevant.yml | 4 +--- .../process_creation/win_renamed_jusched.yml | 6 +---- .../process_creation/win_renamed_paexec.yml | 4 +--- .../win_renamed_powershell.yml | 4 ---- .../process_creation/win_renamed_procdump.yml | 4 +--- .../process_creation/win_renamed_psexec.yml | 4 ---- .../win_run_powershell_script_from_ads.yml | 2 +- .../win_sdbinst_shim_persistence.yml | 4 +--- .../win_service_execution.yml | 5 ++-- .../win_shadow_copies_access_symlink.yml | 2 +- .../win_shell_spawn_susp_program.yml | 5 ++-- .../win_silenttrinity_stage_use.yml | 20 +++++++++++----- .../sysmon/sysmon_silenttrinity_stage_use.yml | 23 ------------------- 26 files changed, 45 insertions(+), 98 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_silenttrinity_stage_use.yml diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index e142a17d2..813a45bfd 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -5,7 +5,7 @@ description: Detects a Powershell process that contains download commands in its author: Florian Roth date: 2019/01/16 tags: - - attack.t1086 # an old one + - attack.t1086 - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/win_powershell_frombase64string.yml b/rules/windows/process_creation/win_powershell_frombase64string.yml index d48e7c449..dc680596e 100644 --- a/rules/windows/process_creation/win_powershell_frombase64string.yml +++ b/rules/windows/process_creation/win_powershell_frombase64string.yml @@ -6,12 +6,9 @@ references: - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 author: Florian Roth date: 2020/01/29 -modified: 2020/09/06 tags: - attack.t1027 - attack.defense_evasion - - attack.t1140 - - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index b422d6159..620edf36c 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -6,7 +6,7 @@ references: - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier tags: - attack.execution - - attack.t1086 # an old one + - attack.t1086 - attack.t1059.001 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 9234f27f4..fa3331894 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -4,13 +4,11 @@ description: Detects suspicious powershell process which includes bxor command, status: experimental author: Sami Ruohonen, Harish Segar (improvement) date: 2018/09/05 -modified: 2020/09/06 +modified: 2020/06/29 tags: - - attack.defense_evasion - - attack.t1086 # an old one + - attack.execution + - attack.t1086 - attack.t1059.001 - - attack.t1140 - - attack.t1027 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index 4509852b1..a3094b5bf 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -25,8 +25,8 @@ tags: - attack.execution - attack.persistence - attack.privilege_escalation - - attack.t1053 # an old one - - attack.t1086 # an old one + - attack.t1053 + - attack.t1086 - attack.s0111 - attack.g0022 - attack.g0060 diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index ed200d806..ee94fde67 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -9,12 +9,10 @@ references: - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf - https://attack.mitre.org/techniques/T1036/ date: 2019/02/23 -modified: 2020/09/06 +modified: 2019/08/20 tags: - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 - - attack.t1036.005 + - attack.t1036 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index 76e13ba2a..d119abbe5 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -10,9 +10,8 @@ tags: - attack.persistence - attack.t1197 - attack.s0190 - - attack.t1036.003 date: 2017/03/09 -modified: 2020/09/06 +modified: 2019/12/06 author: Michael Haag logsource: category: process_creation diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index 0ede71785..5d85fbdf7 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -6,10 +6,11 @@ references: - https://twitter.com/shantanukhande/status/1229348874298388484 author: Florian Roth date: 2020/02/18 -modified: 2020/09/06 tags: + - attack.defense_evasion + - attack.t1036 - attack.credential_access - - attack.t1003 # an old one + - attack.t1003 - car.2013-05-009 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index a0125bc7d..a2c3dbf17 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -6,7 +6,7 @@ date: 2018/03/13 modified: 2012/12/11 tags: - attack.execution - - attack.t1035 # an old one + - attack.t1035 - attack.s0029 - attack.t1569.002 logsource: diff --git a/rules/windows/process_creation/win_rdp_hijack_shadowing.yml b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml index 6de34224d..9285babdd 100644 --- a/rules/windows/process_creation/win_rdp_hijack_shadowing.yml +++ b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml @@ -4,13 +4,9 @@ description: Detects RDP session hijacking by using MSTSC shadowing status: experimental author: Florian Roth date: 2020/01/24 -modified: 2020/09/06 references: - https://twitter.com/kmkz_security/status/1220694202301976576 - https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet -tags: - - attack.lateral_movement - - attack.t1563.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml index 25fe162a3..d7f7e9a5d 100644 --- a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -5,14 +5,10 @@ references: - https://redmimicry.com author: Alexander Rausch date: 2020/06/24 -modified: 2020/09/06 tags: - attack.execution - - attack.defense_evasion - - attack.t1059 # an old one + - attack.t1059 - attack.t1106 - - attack.t1059.003 - - attack.t1218.011 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 623272245..5509721e2 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -3,13 +3,13 @@ id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 -modified: 2020/09/06 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-190511223310.yaml + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md tags: - attack.execution - - attack.t1086 # an old one + - attack.t1086 - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 155b10d05..7d50a9054 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -4,15 +4,14 @@ status: experimental description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) date: 2019/06/15 -modified: 2020/09/06 +modified: 2019/11/11 references: - https://attack.mitre.org/techniques/T1036/ - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html tags: + - attack.t1036 - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index 9e4d26755..4dfd6f6cb 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -4,15 +4,13 @@ status: experimental description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. author: Matthew Green - @mgreen27, Florian Roth date: 2019/06/15 -modified: 2020/09/06 references: - https://attack.mitre.org/techniques/T1036/ - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html tags: + - attack.t1036 - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml index 12cf89f4b..7e03d04a7 100644 --- a/rules/windows/process_creation/win_renamed_jusched.yml +++ b/rules/windows/process_creation/win_renamed_jusched.yml @@ -5,14 +5,10 @@ description: Detects renamed jusched.exe used by cobalt group references: - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf tags: + - attack.t1036 - attack.execution - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 - author: Markus Neis, Swisscom date: 2019/06/04 -modified: 2020/09/06 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index 04c1cbb3a..f1ea132a9 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -7,12 +7,10 @@ references: - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf tags: - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 + - attack.t1036 - FIN7 - car.2013-05-009 date: 2019/04/17 -modified: 2020/09/06 author: Jason Lynch falsepositives: - Unknown imphashes diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml index 377458c18..9522fcee2 100644 --- a/rules/windows/process_creation/win_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -6,12 +6,8 @@ references: - https://twitter.com/christophetd/status/1164506034720952320 author: Florian Roth date: 2019/08/22 -modified: 2020/09/06 tags: - car.2013-05-009 - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index fbcb1d6e5..2fbe3a4a1 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -6,11 +6,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2020/09/06 tags: - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 + - attack.t1036 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml index 4a1ab2244..208af0d3a 100644 --- a/rules/windows/process_creation/win_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -6,12 +6,8 @@ references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks author: Florian Roth date: 2019/05/21 -modified: 2020/09/06 tags: - car.2013-05-009 - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml index 03adb95e5..eaa76e6c7 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml @@ -8,7 +8,7 @@ author: Sergey Soldatov, Kaspersky Lab, oscd.community date: 2019/10/30 tags: - attack.defense_evasion - - attack.t1096 # an old one + - attack.t1096 - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index ba53269eb..b98a0c866 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -6,12 +6,10 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html tags: - attack.persistence - - attack.privilege_escalation - - attack.t1138 # an old one + - attack.t1138 - attack.t1546.011 author: Markus Neis date: 2019/01/16 -modified: 2020/09/06 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 02d8c38ec..72b3903f6 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -4,7 +4,7 @@ status: experimental description: Detects manual service execution (start) via system utilities author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 -modified: 2020/09/06 +modified: 2019/11/04 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml logsource: @@ -15,7 +15,6 @@ detection: Image|endswith: - '\net.exe' - '\net1.exe' - - '\sc.exe' CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: selection falsepositives: @@ -23,5 +22,5 @@ falsepositives: level: low tags: - attack.execution - - attack.t1035 # an old one + - attack.t1035 - attack.t1569.002 diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml index e627298ca..45149619b 100644 --- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml @@ -7,7 +7,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - - attack.t1003 # an old one + - attack.t1003 - attack.t1003.002 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index be5c568ec..17968c3b4 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -6,14 +6,13 @@ references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth date: 2018/04/06 -modified: 2020/09/06 +modified: 2019/02/05 tags: - attack.execution - attack.defense_evasion - - attack.t1064 # an old one + - attack.t1064 - attack.t1059.005 - attack.t1059.001 - - attack.t1218 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index 4e775a1ef..a59e26e4a 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -7,16 +7,24 @@ references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community date: 2019/10/22 -modified: 2020/09/06 +modified: 2019/11/04 tags: - - attack.command_and_control -level: high -logsource: - category: process_creation - product: windows + - attack.execution detection: selection: Description|contains: 'st2stager' condition: selection falsepositives: - unknown +level: high +--- +logsource: + category: process_creation + product: windows +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 diff --git a/rules/windows/sysmon/sysmon_silenttrinity_stage_use.yml b/rules/windows/sysmon/sysmon_silenttrinity_stage_use.yml deleted file mode 100644 index ec7f83e9b..000000000 --- a/rules/windows/sysmon/sysmon_silenttrinity_stage_use.yml +++ /dev/null @@ -1,23 +0,0 @@ -action: global -title: SILENTTRINITY Stager Execution -id: 03552375-cc2c-4883-bbe4-7958d5a980be -status: experimental -description: Detects SILENTTRINITY stager use -references: - - https://github.com/byt3bl33d3r/SILENTTRINITY -author: Aleksey Potapov, oscd.community -date: 2019/10/22 -modified: 2020/09/06 -tags: - - attack.command_and_control -level: high -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Description|contains: 'st2stager' - condition: selection -falsepositives: - - unknown