From 95793d73bd34b27653bc2f55cb80db402655ea01 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 11:53:44 +0200 Subject: [PATCH] Merge PR #4482 From @nasbench - Add New Automation Workflows chore: update workflows and add quality of life updates and automation to the repository --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .github/labeler.yml | 37 + .github/workflows/greetings.yml | 34 + .github/workflows/pr-labeler.yml | 15 + .github/workflows/ref-archiver.yml | 33 + .github/workflows/sigma-rule-promoter.yml | 54 + .github/workflows/sigma-test.yml | 22 +- .github/workflows/sigma-validation.yml | 21 + .yamllint | 27 +- CONTRIBUTING.md | 46 + LICENSE.Detection.Rules.md | 17 - Pipfile | 2 - _config.yml | 1 - ...eation_win_apt_turla_commands_critical.yml | 2 +- .../proc_creation_win_malware_adwind.yml | 12 +- .../proc_creation_win_malware_wannacry.yml | 50 +- .../pipe_created_apt_turla_named_pipes.yml | 2 +- .../TA/APT28/proc_creation_win_apt_sofacy.yml | 6 +- ...apt_apt29_phishing_campaign_indicators.yml | 4 +- .../proc_creation_win_malware_babyshark.yml | 10 +- .../proc_creation_win_malware_formbook.yml | 24 +- ...ation_win_apt_equationgroup_dll_u_load.yml | 4 +- .../proc_creation_win_apt_mustangpanda.yml | 19 +- ..._win_malware_emotet_rundll32_execution.yml | 2 +- .../proc_creation_win_apt_gallium_iocs.yml | 76 +- .../proc_creation_win_apt_unc2452_cmds.yml | 4 +- ...le_event_win_cve_2021_26858_msexchange.yml | 6 +- ...oc_creation_win_exploit_cve_2021_41379.yml | 12 +- ...malware_conti_ransomware_database_dump.yml | 4 +- ...g_googleupdate_uncommon_child_instance.yml | 4 +- .../HAFNIUM/proc_creation_win_apt_hafnium.yml | 4 +- ..._win_exploit_cve_2022_41120_sysmon_eop.yml | 12 +- ...on_win_malware_hermetic_wiper_activity.yml | 10 +- ...oit_cve_2023_23397_outlook_remote_file.yml | 14 +- ...exploit_cve_2023_34362_moveit_transfer.yml | 2 +- ...ploit_cve_2023_38831_winrar_child_proc.yml | 14 +- ...lware_darkgate_autoit3_binary_creation.yml | 6 +- ..._autoit3_from_susp_parent_and_location.yml | 8 +- ...win_malware_qakbot_uninstaller_cleanup.yml | 10 +- ...win_malware_socgholish_second_stage_c2.yml | 2 +- ...e_load_malware_3cx_compromise_susp_dll.yml | 24 +- ...n_win_malware_3cx_compromise_execution.yml | 48 +- ...storm_aspera_faspex_susp_child_process.yml | 74 +- ...storm_manage_engine_susp_child_process.yml | 74 +- ...4841_wget_download_tar_files_direct_ip.yml | 10 +- .../azure_ad_account_signin_outside_hours.yml | 2 +- .../azure_privileged_account_no_saw_paw.yml | 2 +- ...ileged_account_sigin_expected_controls.yml | 2 +- ...rivileged_account_signin_outside_hours.yml | 2 +- ...on_win_userdomain_variable_enumeration.yml | 2 +- .../file_event_win_susp_binary_dropper.yml | 10 +- .../proc_creation_win_curl_fileupload.yml | 8 +- .../proc_creation_win_net_quic.yml | 8 +- ...n_powershell_abnormal_commandline_size.yml | 8 +- ..._creation_win_powershell_import_module.yml | 8 +- ...reation_win_rundll32_dllregisterserver.yml | 2 +- rules/category/antivirus/av_hacktool.yml | 89 +- .../category/antivirus/av_password_dumper.yml | 35 +- rules/category/antivirus/av_webshell.yml | 107 +- ...ssed_role_to_glue_development_endpoint.yml | 2 +- .../azure_kubernetes_cronjob.yml | 2 +- ...entity_protection_anonymous_ip_address.yml | 2 +- ...identity_protection_leaked_credentials.yml | 2 +- .../github/github_delete_action_invoked.yml | 2 +- ...github_disable_high_risk_configuration.yml | 2 +- rules/cloud/github/github_new_org_member.yml | 2 +- .../github/github_new_secret_created.yml | 2 +- .../lnx_auditd_modify_system_firewall.yml | 4 +- .../auditd/lnx_auditd_susp_c2_commands.yml | 2 +- .../proc_creation_lnx_base64_execution.yml | 16 +- .../proc_creation_lnx_base64_shebang_cli.yml | 10 +- .../proc_creation_lnx_hack_tools.yml | 30 +- .../proc_creation_lnx_iptables_flush_ufw.yml | 4 +- .../proc_creation_lnx_kill_process.yml | 6 +- ...proc_creation_lnx_netcat_reverse_shell.yml | 4 +- .../proc_creation_lnx_perl_reverse_shell.yml | 12 +- .../proc_creation_lnx_python_pty_spawn.yml | 10 +- ...c_creation_lnx_remote_system_discovery.yml | 10 +- ...proc_creation_lnx_susp_curl_fileupload.yml | 8 +- .../proc_creation_lnx_susp_history_delete.yml | 10 +- .../proc_creation_lnx_susp_history_recon.yml | 10 +- .../proc_creation_lnx_susp_pipe_shell.yml | 16 +- .../proc_creation_macos_binary_padding.yml | 2 +- ...ion_macos_dscl_add_user_to_admin_group.yml | 2 +- ...n_macos_dseditgroup_add_to_admin_group.yml | 2 +- ...creation_macos_jxa_in_memory_execution.yml | 4 +- ...creation_macos_remote_system_discovery.yml | 10 +- ...cos_susp_execution_macos_script_editor.yml | 42 +- .../network/zeek/zeek_dns_susp_zbit_flag.yml | 8 +- .../zeek/zeek_http_omigod_no_auth_rce.yml | 4 +- .../network/zeek/zeek_rdp_public_listener.yml | 8 +- .../zeek_smb_converted_win_atsvc_task.yml | 2 +- rules/web/proxy_generic/proxy_ua_malware.yml | 2 +- rules/web/proxy_generic/proxy_ua_susp.yml | 11 +- .../web_iis_tilt_shortname_scan.yml | 2 +- .../Other/win_av_relevant_match.yml | 4 +- .../win_builtin_remove_application.yml | 2 +- ...sql_failed_logon_from_external_network.yml | 10 +- ...win_appxdeployment_server_policy_block.yml | 2 +- ...its_client_new_transfer_via_ip_address.yml | 10 +- .../firewall_as/win_firewall_as_add_rule.yml | 14 +- ...y_successful_external_remote_rdp_login.yml | 6 +- ...y_successful_external_remote_smb_login.yml | 6 +- .../win_security_susp_failed_logon_source.yml | 16 +- .../win_security_susp_rottenpotato.yml | 2 +- .../win_security_account_discovery.yml | 18 +- ...ity_ad_replication_non_machine_account.yml | 2 +- ...oke_obfuscation_clip_services_security.yml | 2 +- ...ke_obfuscation_stdin_services_security.yml | 2 +- ...voke_obfuscation_var_services_security.yml | 2 +- ...scation_via_compress_services_security.yml | 2 +- ...fuscation_via_rundll_services_security.yml | 2 +- ...bfuscation_via_stdin_services_security.yml | 2 +- ...scation_via_use_clip_services_security.yml | 2 +- ...cation_via_use_mshta_services_security.yml | 2 +- ...ion_via_use_rundll32_services_security.yml | 2 +- ..._obfuscation_via_var_services_security.yml | 2 +- ...cobaltstrike_getsystem_service_install.yml | 30 +- ...n_security_scm_database_handle_failure.yml | 2 +- ...rity_susp_outbound_kerberos_connection.yml | 8 +- ...susp_possible_shadow_credentials_added.yml | 8 +- ...l_priv_service_lsaregisterlogonprocess.yml | 2 +- .../win_system_defender_disabled.yml | 2 +- ...ystem_invoke_obfuscation_clip_services.yml | 2 +- ...stem_invoke_obfuscation_stdin_services.yml | 6 +- ...system_invoke_obfuscation_var_services.yml | 2 +- ...voke_obfuscation_via_compress_services.yml | 2 +- ...invoke_obfuscation_via_rundll_services.yml | 2 +- ..._invoke_obfuscation_via_stdin_services.yml | 2 +- ...voke_obfuscation_via_use_clip_services.yml | 2 +- ...oke_obfuscation_via_use_mshta_services.yml | 2 +- ..._obfuscation_via_use_rundll32_services.yml | 2 +- ...em_invoke_obfuscation_via_var_services.yml | 2 +- ...tstrike_getsystem_service_installation.yml | 30 +- .../win_system_service_install_pdqdeploy.yml | 4 +- ...ystem_service_install_remote_utilities.yml | 4 +- ...tem_service_terminated_error_important.yml | 30 +- ...system_service_terminated_unexpectedly.yml | 4 +- ...cheduler_execution_from_susp_locations.yml | 6 +- ...er_lolbin_execution_via_task_scheduler.yml | 10 +- ...defender_suspicious_features_tampering.yml | 2 +- .../builtin/wmi/win_wmi_persistence.yml | 2 +- ...emote_thread_win_uncommon_source_image.yml | 10 +- ...ate_stream_hash_creation_internet_file.yml | 4 +- .../create_stream_hash_hacktool_download.yml | 372 +- ...e_access_software_domains_non_browsers.yml | 8 +- .../dns_query/dns_query_win_susp_ipify.yml | 4 +- .../driver_load_win_vuln_hevd_driver.yml | 8 +- .../file_change_win_2022_timestomping.yml | 10 +- ...ile_event_win_create_non_existent_dlls.yml | 12 +- ...vent_win_cred_dump_tools_dropped_files.yml | 50 +- ...nt_win_hktl_hivenightmare_file_exports.yml | 12 +- ...tial_access_dll_search_order_hijacking.yml | 4 +- .../file_event/file_event_win_mal_adwind.yml | 10 +- ...vent_win_office_macro_files_downloaded.yml | 24 +- ...n_office_macro_files_from_susp_process.yml | 20 +- ...e_event_win_office_startup_persistence.yml | 12 +- ...e_event_win_office_susp_file_extension.yml | 2 +- ...event_win_office_uncommon_file_startup.yml | 12 +- ...te_access_tools_screenconnect_artefact.yml | 2 +- .../file_event/file_event_win_sam_dump.yml | 38 +- ...e_event_win_shell_write_susp_directory.yml | 2 +- .../file_event_win_susp_double_extension.yml | 10 +- ...file_event_win_susp_homoglyph_filename.yml | 2 +- ...t_win_susp_legitimate_app_dropping_exe.yml | 4 +- ...in_susp_legitimate_app_dropping_script.yml | 4 +- ...e_event_win_susp_recycle_bin_fake_exec.yml | 12 +- ...ile_event_win_webshell_creation_detect.yml | 14 +- .../file_rename_win_not_dll_to_dll.yml | 8 +- ...rosoft_account_token_provider_dll_load.yml | 6 +- ..._load_dll_credui_uncommon_process_load.yml | 8 +- ...system_management_automation_susp_load.yml | 6 +- .../image_load_dll_vssapi_susp_load.yml | 12 +- .../image_load_dll_vsstrace_susp_load.yml | 12 +- ..._load_side_load_abused_dlls_susp_paths.yml | 16 +- .../image_load_side_load_shelldispatch.yml | 4 +- .../image_load_side_load_third_party.yml | 14 +- .../image_load/image_load_side_load_wwlib.yml | 2 +- .../image_load_susp_python_image_load.yml | 6 +- ...e_load_susp_script_dotnet_clr_dll_load.yml | 2 +- .../image_load_wsman_provider_image_load.yml | 14 +- .../net_connection_win_binary_susp_com.yml | 8 +- ...net_connection_win_dead_drop_resolvers.yml | 24 +- ...tion_win_google_api_non_browser_access.yml | 4 +- ...tion_win_notion_api_susp_communication.yml | 4 +- .../net_connection_win_office_susp_ports.yml | 4 +- ...n_rdp_outbound_over_non_standard_tools.yml | 30 +- ...tion_win_reddit_api_non_browser_access.yml | 4 +- ..._win_remote_powershell_session_network.yml | 16 +- ...onnection_win_rundll32_net_connections.yml | 46 +- .../net_connection_win_susp_epmap.yml | 2 +- ...connection_win_susp_external_ip_lookup.yml | 4 +- ..._win_susp_outbound_kerberos_connection.yml | 8 +- ..._susp_prog_location_network_connection.yml | 20 +- ...on_win_telegram_api_non_browser_access.yml | 4 +- ...d_hktl_cobaltstrike_susp_pipe_patterns.yml | 44 +- .../pipe_created_mal_namedpipes.yml | 10 +- .../posh_pc_alternate_powershell_hosts.yml | 4 +- .../posh_pm_bad_opsec_artifacts.yml | 2 +- .../posh_pm_invoke_obfuscation_clip.yml | 2 +- .../posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../posh_pm_invoke_obfuscation_var.yml | 2 +- ...osh_pm_invoke_obfuscation_via_compress.yml | 2 +- .../posh_pm_invoke_obfuscation_via_rundll.yml | 2 +- .../posh_pm_invoke_obfuscation_via_stdin.yml | 2 +- ...osh_pm_invoke_obfuscation_via_use_clip.yml | 2 +- ...sh_pm_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../posh_pm_susp_ad_group_reco.yml | 16 +- .../posh_pm_susp_local_group_reco.yml | 16 +- .../posh_ps_adrecon_execution.yml | 2 +- .../posh_ps_as_rep_roasting.yml | 2 +- ...sh_ps_disable_windows_optional_feature.yml | 2 +- .../posh_ps_download_com_cradles.yml | 2 +- .../posh_ps_etw_trace_evasion.yml | 4 +- .../posh_ps_invoke_dnsexfiltration.yml | 10 +- .../posh_ps_invoke_obfuscation_clip.yml | 2 +- .../posh_ps_invoke_obfuscation_stdin.yml | 2 +- .../posh_ps_invoke_obfuscation_var.yml | 2 +- ...osh_ps_invoke_obfuscation_via_compress.yml | 2 +- .../posh_ps_invoke_obfuscation_via_rundll.yml | 2 +- .../posh_ps_invoke_obfuscation_via_stdin.yml | 2 +- ...osh_ps_invoke_obfuscation_via_use_clip.yml | 2 +- ...sh_ps_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../posh_ps_invoke_obfuscation_via_var.yml | 2 +- .../posh_ps_malicious_keywords.yml | 2 +- .../posh_ps_nishang_malicious_commandlets.yml | 22 +- ...sh_ps_shellintel_malicious_commandlets.yml | 2 +- .../posh_ps_software_discovery.yml | 2 +- .../posh_ps_susp_keywords.yml | 4 +- .../posh_ps_token_obfuscation.yml | 2 +- .../posh_ps_wmi_persistence.yml | 16 +- ...ccess_win_direct_syscall_ntopenprocess.yml | 2 +- .../proc_access_win_invoke_patchingapi.yml | 16 +- .../proc_access_win_lsass_memdump.yml | 8 +- ...proc_creation_win_7zip_exfil_dmp_files.yml | 10 +- ...creation_win_7zip_password_compression.yml | 10 +- ..._creation_win_7zip_password_extraction.yml | 10 +- ...win_aspnet_compiler_susp_child_process.yml | 18 +- ...oc_creation_win_bash_command_execution.yml | 4 +- .../proc_creation_win_bash_file_execution.yml | 4 +- ..._creation_win_bcdedit_boot_conf_tamper.yml | 8 +- ...on_win_bginfo_suspicious_child_process.yml | 28 +- ...eation_win_certutil_download_direct_ip.yml | 46 +- .../proc_creation_win_cmd_path_traversal.yml | 12 +- .../proc_creation_win_csc_susp_parent.yml | 22 +- .../proc_creation_win_csi_execution.yml | 8 +- .../proc_creation_win_driverquery_recon.yml | 16 +- .../proc_creation_win_driverquery_usage.yml | 16 +- .../proc_creation_win_dsim_remove.yml | 16 +- ...oc_creation_win_dumpminitool_execution.yml | 12 +- ...eation_win_dumpminitool_susp_execution.yml | 12 +- ...proc_creation_win_expand_cabinet_files.yml | 2 +- ...eation_win_explorer_break_process_tree.yml | 4 +- .../proc_creation_win_git_susp_clone.yml | 4 +- ...on_win_googleupdate_susp_child_process.yml | 6 +- .../proc_creation_win_gpg4win_decryption.yml | 4 +- .../proc_creation_win_gpg4win_encryption.yml | 4 +- ...reation_win_gpg4win_portable_execution.yml | 4 +- ...roc_creation_win_gpg4win_susp_location.yml | 4 +- ...reation_win_hktl_bloodhound_sharphound.yml | 8 +- ...win_hktl_cobaltstrike_load_by_rundll32.yml | 4 +- .../proc_creation_win_hktl_coercedpotato.yml | 12 +- ...tl_crackmapexec_powershell_obfuscation.yml | 8 +- ...ation_win_hktl_execution_via_imphashes.yml | 348 +- .../proc_creation_win_hktl_handlekatz.yml | 8 +- .../proc_creation_win_hktl_impacket_tools.yml | 100 +- .../proc_creation_win_hktl_inveigh.yml | 14 +- ...ation_win_hktl_invoke_obfuscation_clip.yml | 2 +- ...tion_win_hktl_invoke_obfuscation_stdin.yml | 6 +- ...eation_win_hktl_invoke_obfuscation_var.yml | 2 +- ...n_hktl_invoke_obfuscation_via_compress.yml | 2 +- ..._win_hktl_invoke_obfuscation_via_stdin.yml | 2 +- ...n_hktl_invoke_obfuscation_via_use_clip.yml | 2 +- ..._hktl_invoke_obfuscation_via_use_mhsta.yml | 2 +- ...on_win_hktl_invoke_obfuscation_via_var.yml | 2 +- ...reation_win_hktl_mimikatz_command_line.yml | 22 +- .../proc_creation_win_hktl_pchunter.yml | 16 +- .../proc_creation_win_hktl_powertool.yml | 4 +- .../proc_creation_win_hktl_rubeus.yml | 30 +- .../proc_creation_win_hktl_selectmyparent.yml | 46 +- ..._creation_win_hktl_sharp_impersonation.yml | 12 +- .../proc_creation_win_hktl_sharpevtmute.yml | 4 +- .../proc_creation_win_hktl_sharpup.yml | 14 +- .../proc_creation_win_hktl_sharpview.yml | 216 +- ...ation_win_hktl_stracciatella_execution.yml | 8 +- .../proc_creation_win_hktl_sysmoneop.yml | 8 +- .../proc_creation_win_hktl_uacme.yml | 18 +- .../proc_creation_win_hktl_wce.yml | 8 +- .../proc_creation_win_hktl_winpeas.yml | 16 +- .../proc_creation_win_hktl_xordump.yml | 8 +- .../proc_creation_win_icacls_deny.yml | 2 +- .../proc_creation_win_lolbin_appvlp.yml | 4 +- .../proc_creation_win_lolbin_defaultpack.yml | 2 +- ...reation_win_lolbin_gather_network_info.yml | 8 +- ...on_win_lolbin_protocolhandler_download.yml | 2 +- .../proc_creation_win_lolbin_ssh.yml | 6 +- .../proc_creation_win_lolbin_unregmp2.yml | 4 +- ...oc_creation_win_lolscript_register_app.yml | 8 +- ...oc_creation_win_mmc_susp_child_process.yml | 18 +- .../proc_creation_win_mofcomp_execution.yml | 24 +- ...reation_win_mshta_susp_child_processes.yml | 38 +- .../proc_creation_win_mshta_susp_pattern.yml | 12 +- .../proc_creation_win_msiexec_embedding.yml | 4 +- .../proc_creation_win_msiexec_execute_dll.yml | 2 +- ..._win_net_default_accounts_manipulation.yml | 8 +- ...tion_win_net_groups_and_accounts_recon.yml | 8 +- ..._win_net_network_connections_discovery.yml | 16 +- ...eation_win_net_share_and_sessions_enum.yml | 8 +- .../proc_creation_win_net_share_unmount.yml | 8 +- .../proc_creation_win_net_start_service.yml | 8 +- .../proc_creation_win_net_stop_service.yml | 8 +- .../proc_creation_win_net_susp_execution.yml | 8 +- ...creation_win_net_use_mount_admin_share.yml | 8 +- ...ation_win_net_use_mount_internet_share.yml | 8 +- .../proc_creation_win_net_use_mount_share.yml | 8 +- ...reation_win_net_use_password_plaintext.yml | 8 +- .../proc_creation_win_net_user_add.yml | 8 +- ...creation_win_net_user_add_never_expire.yml | 8 +- ...etsh_fw_allow_program_in_susp_location.yml | 18 +- .../proc_creation_win_netsh_fw_allow_rdp.yml | 6 +- ...roc_creation_win_netsh_port_forwarding.yml | 2 +- .../proc_creation_win_ntdsutil_susp_usage.yml | 16 +- ...tion_win_office_arbitrary_cli_download.yml | 12 +- ...win_office_exec_from_trusted_locations.yml | 12 +- ...in_office_onenote_susp_child_processes.yml | 136 +- ...in_office_outlook_susp_child_processes.yml | 22 +- ...ce_outlook_susp_child_processes_remote.yml | 2 +- ...eation_win_office_susp_child_processes.yml | 136 +- ...ion_win_pdqdeploy_runner_susp_children.yml | 54 +- .../proc_creation_win_powercfg_execution.yml | 12 +- ...ershell_aadinternals_cmdlets_execution.yml | 8 +- ...ell_active_directory_module_dll_import.yml | 8 +- ..._win_powershell_add_windows_capability.yml | 8 +- ...tion_win_powershell_base64_encoded_cmd.yml | 8 +- ...win_powershell_base64_frombase64string.yml | 6 +- ...roc_creation_win_powershell_base64_iex.yml | 44 +- ..._creation_win_powershell_base64_invoke.yml | 8 +- ...ion_win_powershell_base64_mppreference.yml | 34 +- ...tion_win_powershell_base64_wmi_classes.yml | 8 +- ...ershell_cmdline_convertto_securestring.yml | 8 +- ...in_powershell_cmdline_reversed_strings.yml | 8 +- ..._powershell_cmdline_special_characters.yml | 8 +- ...hell_computer_discovery_get_adcomputer.yml | 8 +- ...isable_defender_av_security_monitoring.yml | 8 +- ...eation_win_powershell_disable_firewall.yml | 10 +- ..._creation_win_powershell_dll_execution.yml | 16 +- ...on_win_powershell_download_com_cradles.yml | 2 +- ...ation_win_powershell_download_patterns.yml | 8 +- ...on_win_powershell_encoded_cmd_patterns.yml | 8 +- ...ation_win_powershell_encoding_patterns.yml | 8 +- ...creation_win_powershell_hidden_b64_cmd.yml | 8 +- ...ershell_install_unsigned_appx_packages.yml | 8 +- ...powershell_invoke_webrequest_direct_ip.yml | 8 +- ..._powershell_invoke_webrequest_download.yml | 8 +- ...n_powershell_non_interactive_execution.yml | 8 +- ...in_powershell_reverse_shell_connection.yml | 8 +- .../proc_creation_win_powershell_set_acl.yml | 8 +- ...n_win_powershell_set_acl_susp_location.yml | 8 +- ...reation_win_powershell_snapins_hafnium.yml | 8 +- ...c_creation_win_powershell_stop_service.yml | 8 +- ...ion_win_powershell_susp_parent_process.yml | 58 +- ...ation_win_powershell_token_obfuscation.yml | 2 +- ...n_powershell_user_discovery_get_aduser.yml | 8 +- ...eation_win_powershell_webclient_casing.yml | 8 +- ...reation_win_powershell_xor_commandline.yml | 8 +- ...reation_win_provlaunch_potential_abuse.yml | 34 +- ...tion_win_provlaunch_susp_child_process.yml | 34 +- .../proc_creation_win_pua_advancedrun.yml | 10 +- ...creation_win_pua_advancedrun_priv_user.yml | 16 +- .../proc_creation_win_pua_frp.yml | 6 +- .../proc_creation_win_pua_iox.yml | 6 +- .../proc_creation_win_pua_netcat.yml | 2 +- .../proc_creation_win_pua_nmap_zenmap.yml | 8 +- .../proc_creation_win_pua_nps.yml | 6 +- .../proc_creation_win_pua_nsudo.yml | 12 +- .../proc_creation_win_pua_process_hacker.yml | 20 +- ...proc_creation_win_pua_rcedit_execution.yml | 4 +- .../proc_creation_win_pua_seatbelt.yml | 34 +- .../proc_creation_win_pua_system_informer.yml | 2 +- ...on_win_python_inline_command_execution.yml | 6 +- ...numeration_for_credentials_in_registry.yml | 8 +- ...oc_creation_win_reg_software_discovery.yml | 2 +- ...eation_win_reg_windows_defender_tamper.yml | 2 - ...eation_win_regasm_suspicious_execution.yml | 8 +- .../proc_creation_win_regedit_export_keys.yml | 2 +- .../proc_creation_win_regedit_import_keys.yml | 2 +- ...c_creation_win_regedit_import_keys_ads.yml | 2 +- ...tion_win_registry_new_network_provider.yml | 12 +- ...ccess_tools_rurat_non_default_location.yml | 4 +- .../proc_creation_win_renamed_adfind.yml | 8 +- .../proc_creation_win_renamed_autohotkey.yml | 26 +- .../proc_creation_win_renamed_autoit.yml | 12 +- ...ion_win_renamed_binary_highly_relevant.yml | 38 +- .../proc_creation_win_renamed_createdump.yml | 12 +- ..._creation_win_renamed_office_processes.yml | 20 +- .../proc_creation_win_renamed_paexec.yml | 16 +- .../proc_creation_win_renamed_plink.yml | 6 +- ...reation_win_rpcping_credential_capture.yml | 16 +- ...ndll32_advpack_obfuscated_ordinal_call.yml | 4 +- ..._win_rundll32_process_dump_via_comsvcs.yml | 2 +- ...oc_creation_win_rundll32_run_locations.yml | 20 +- .../proc_creation_win_rundll32_script_run.yml | 2 +- ...oc_creation_win_rundll32_susp_activity.yml | 92 +- ..._rundll32_webdav_client_susp_execution.yml | 10 +- ..._win_sc_service_tamper_for_persistence.yml | 24 +- .../proc_creation_win_sc_stop_service.yml | 4 +- .../proc_creation_win_schtasks_env_folder.yml | 4 +- .../proc_creation_win_secedit_execution.yml | 4 +- ...oc_creation_win_setspn_spn_enumeration.yml | 4 +- ...ation_win_sqlite_chromium_profile_data.yml | 4 +- ..._win_sqlite_firefox_gecko_profile_data.yml | 4 +- ...ation_win_susp_abusing_debug_privilege.yml | 12 +- ...on_win_susp_add_user_local_admin_group.yml | 12 +- ...win_susp_add_user_remote_desktop_group.yml | 8 +- .../proc_creation_win_susp_appx_execution.yml | 2 +- ...oc_creation_win_susp_copy_browser_data.yml | 24 +- ...reation_win_susp_copy_lateral_movement.yml | 20 +- ...proc_creation_win_susp_copy_system_dir.yml | 8 +- ...eation_win_susp_copy_system_dir_lolbin.yml | 8 +- ...ion_win_susp_data_exfiltration_via_cli.yml | 34 +- ...ation_win_susp_double_extension_parent.yml | 72 +- ...eation_win_susp_download_office_domain.yml | 18 +- ...on_win_susp_elavated_msi_spawned_shell.yml | 12 +- ...reation_win_susp_electron_app_children.yml | 20 +- ...reation_win_susp_elevated_system_shell.yml | 12 +- ...oc_creation_win_susp_etw_trace_evasion.yml | 6 +- ..._susp_execution_from_guid_folder_names.yml | 6 +- .../proc_creation_win_susp_execution_path.yml | 36 +- .../proc_creation_win_susp_image_missing.yml | 14 +- ...reation_win_susp_inline_win_api_access.yml | 4 +- ..._win_susp_lolbin_exec_from_non_c_drive.yml | 36 +- ...eation_win_susp_lsass_dmp_cli_keywords.yml | 30 +- .../proc_creation_win_susp_ntds.yml | 42 +- ..._win_susp_ntfs_short_name_path_use_cli.yml | 22 +- ...in_susp_ntfs_short_name_path_use_image.yml | 16 +- ...ation_win_susp_ntfs_short_name_use_cli.yml | 4 +- ...eation_win_susp_obfuscated_ip_download.yml | 10 +- ...in_susp_priv_escalation_via_named_pipe.yml | 8 +- ...c_creation_win_susp_private_keys_recon.yml | 8 +- ...oc_creation_win_susp_proc_wrong_parent.yml | 8 +- .../proc_creation_win_susp_progname.yml | 22 +- .../proc_creation_win_susp_recon.yml | 14 +- ...n_win_susp_script_exec_from_env_folder.yml | 12 +- .../proc_creation_win_susp_service_tamper.yml | 16 +- ...eation_win_susp_shadow_copies_creation.yml | 16 +- ...eation_win_susp_shadow_copies_deletion.yml | 20 +- ...tion_win_susp_shell_spawn_susp_program.yml | 2 +- ...c_creation_win_susp_system_exe_anomaly.yml | 12 +- ..._creation_win_susp_system_user_anomaly.yml | 92 +- ..._creation_win_susp_task_folder_evasion.yml | 2 +- ...in_svchost_execution_with_no_cli_flags.yml | 4 +- ...sinternals_accesschk_check_permissions.yml | 4 +- ...tion_win_sysinternals_livekd_execution.yml | 4 +- ...sysinternals_livekd_kernel_memory_dump.yml | 4 +- ...oc_creation_win_sysinternals_psloglist.yml | 4 +- ...oc_creation_win_sysinternals_psservice.yml | 4 +- ...n_win_sysinternals_pssuspend_execution.yml | 4 +- ..._sysinternals_pssuspend_susp_execution.yml | 4 +- ..._win_sysinternals_sysmon_config_update.yml | 4 +- ...tion_win_sysinternals_sysmon_uninstall.yml | 6 +- ...win_vmware_vmtoolsd_susp_child_process.yml | 32 +- ...proc_creation_win_webdav_lnk_execution.yml | 4 +- .../proc_creation_win_webshell_detection.yml | 44 +- ...ion_win_windows_terminal_susp_children.yml | 46 +- ...oc_creation_win_winrar_exfil_dmp_files.yml | 4 +- ...creation_win_winrar_susp_child_process.yml | 32 +- ...n_win_winrar_uncommon_folder_execution.yml | 4 +- ...oc_creation_win_wmic_squiblytwo_bypass.yml | 12 +- ...reation_win_wmic_xsl_script_processing.yml | 2 +- ...reation_win_wmiprvse_spawns_powershell.yml | 8 +- ...eation_win_wscript_cscript_script_exec.yml | 8 +- ...script_cscript_uncommon_extension_exec.yml | 8 +- .../proc_tampering_process_hollowing.yml | 4 +- .../registry_event_mal_flowcloud.yml | 6 +- ...registry_event_malware_qakbot_registry.yml | 2 +- ...ry_event_narrator_feedback_persistance.yml | 2 +- ...dll_added_to_appinit_dlls_registry_key.yml | 15 +- ..._set_asep_reg_keys_modification_common.yml | 19 +- ...p_reg_keys_modification_currentversion.yml | 27 +- ...eg_keys_modification_currentversion_nt.yml | 8 +- ..._set_asep_reg_keys_modification_office.yml | 2 +- ...asep_reg_keys_modification_wow6432node.yml | 6 +- ...y_set_creation_service_uncommon_folder.yml | 8 +- ...registry_set_disable_defender_firewall.yml | 6 +- .../registry_set_fax_dll_persistance.yml | 2 +- .../registry_set_new_network_provider.yml | 2 +- ...et_persistence_custom_protocol_handler.yml | 4 +- .../registry_set_persistence_ifilter.yml | 2 +- .../registry_set_persistence_search_order.yml | 2 +- ...stry_set_susp_reg_persist_explorer_run.yml | 12 +- .../registry_set_susp_run_key_img_folder.yml | 24 +- .../registry_set_suspicious_env_variables.yml | 68 +- .../registry_set_uac_bypass_eventvwr.yml | 2 +- ..._set_wdigest_enable_uselogoncredential.yml | 2 +- .../sysmon/sysmon_config_modification.yml | 6 +- .../wmi_event/sysmon_wmi_susp_scripting.yml | 26 +- tests/promote_rules_status.py | 86 + tests/reference-archiver.py | 157 + tests/rule-references.txt | 3410 +++++++++++++++++ tests/thor.yml | 4 +- .../zeek_dce_rpc_domain_user_enumeration.yml | 2 +- 501 files changed, 7250 insertions(+), 3382 deletions(-) create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/greetings.yml create mode 100644 .github/workflows/pr-labeler.yml create mode 100644 .github/workflows/ref-archiver.yml create mode 100644 .github/workflows/sigma-rule-promoter.yml create mode 100644 CONTRIBUTING.md delete mode 100644 LICENSE.Detection.Rules.md delete mode 100644 _config.yml create mode 100644 tests/promote_rules_status.py create mode 100644 tests/reference-archiver.py create mode 100644 tests/rule-references.txt diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 000000000..efd7471c8 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,37 @@ +Rules: + - 'deprecated/**/*' + - 'rules/**/*' + - 'rules-compliance/**/*' + - 'rules-dfir/**/*' + - 'rules-emerging-threats/**/*' + - 'rules-placeholder/**/*' + - 'rules-threat-hunting/**/*' +Emerging-Threats: + - 'rules-emerging-threats/**/*' +MacOS: + - 'rules/macos/**/*' + - 'rules-compliance/macos/**/*' + - 'rules-dfir/macos/**/*' + - 'rules-emerging-threats/macos/**/*' + - 'rules-placeholder/macos/**/*' + - 'rules-threat-hunting/macos/**/*' +Windows: + - 'rules/windows/**/*' + - 'rules-compliance/windows/**/*' + - 'rules-dfir/windows/**/*' + - 'rules-emerging-threats/windows/**/*' + - 'rules-placeholder/windows/**/*' + - 'rules-threat-hunting/windows/**/*' +Linux: + - 'rules/linux/**/*' + - 'rules-compliance/linux/**/*' + - 'rules-dfir/linux/**/*' + - 'rules-emerging-threats/linux/**/*' + - 'rules-placeholder/linux/**/*' + - 'rules-threat-hunting/linux/**/*' +Maintenance: + - 'documentation/**/*' + - 'tests/**/*' + - '.github/**/*' + - 'README.md' + - 'Releases.md' diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml new file mode 100644 index 000000000..227e35741 --- /dev/null +++ b/.github/workflows/greetings.yml @@ -0,0 +1,34 @@ +name: Auto message for PR's and Issues + +on: [pull_request, issues] + +jobs: + build: + name: Hello new contributor + runs-on: ubuntu-latest + steps: + - uses: actions/first-interaction@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + issue-message: |- + Welcome @${{github.actor}} :wave: + + It looks like this is your first issue on the Sigma rules repository! + + The following repository accepts issues related to `false positives` or 'rule ideas'. + + If you're reporting an issue related to the pySigma library please consider submitting it [here](https://github.com/SigmaHQ/pySigma) + + If you're reporting an issue related to the deprecated sigmac library please consider submitting it [here](https://github.com/SigmaHQ/legacy-sigmatools) + + Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley: + + + pr-message: |- + Welcome @${{github.actor}} :wave: + + It looks like this is your first pull request on the Sigma rules repository! + + Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval. + + Thanks again, and welcome to the Sigma community! :smiley: \ No newline at end of file diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml new file mode 100644 index 000000000..b847fe20a --- /dev/null +++ b/.github/workflows/pr-labeler.yml @@ -0,0 +1,15 @@ +on: + pull_request_target: + types: + - opened + +name: PR Labeler Workflow + +jobs: + triage: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v4 diff --git a/.github/workflows/ref-archiver.yml b/.github/workflows/ref-archiver.yml new file mode 100644 index 000000000..f4b0a1878 --- /dev/null +++ b/.github/workflows/ref-archiver.yml @@ -0,0 +1,33 @@ +name: "Reference Archiver" + +on: + #push: + # branches: + # - "*" + schedule: + - cron: "30 1 1,15 * *" # At 01:30 on day-of-month 1 and 15. + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + archive: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.3.0 + with: + submodules: true + - name: Set up Python 3.11 + uses: actions/setup-python@v4.5.0 + with: + python-version: 3.11 + - name: Execute Reference Archiver + run: | + pip install PyYAML argparse requests + python tests/reference-archiver.py + - name: Post Results + uses: JasonEtco/create-an-issue@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + filename: .github/archiver_output.md diff --git a/.github/workflows/sigma-rule-promoter.yml b/.github/workflows/sigma-rule-promoter.yml new file mode 100644 index 000000000..292d2d792 --- /dev/null +++ b/.github/workflows/sigma-rule-promoter.yml @@ -0,0 +1,54 @@ +name: "Promote Experimental Rules To Test" + +on: + #push: + # branches: + # - "*" + schedule: + - cron: "0 0 1 * *" # At 00:00 on day-of-month 1. + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + pull-master: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.3.0 + with: + submodules: true + - name: Set up Python 3.11 + uses: actions/setup-python@v4.5.0 + with: + python-version: 3.11 + - name: Execute Rule Promoter Script + run: | + pip install PyYAML + python tests/promote_rules_status.py + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 + with: + reviewers: nasbench, frack113, phantinuss + delete-branch: true + commit-message: 'chore: promote older rules status from `experimental` to `test`' + title: 'Promote Older Rules From `experimental` to `test`' + body: | + ### Summary of the Pull Request + + This PR promotes and upgrade the status of rules that haven't been changed for over 300 days from `experimental` to `test` + + ### Changelog + + chore: promote older rules status from `experimental` to `test` + + ### Example Log Event + + N/A + + ### Fixed Issues + + N/A + + ### SigmaHQ Rule Creation Conventions + + - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index e9ce35224..ae4f414a6 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -7,10 +7,30 @@ on: # yamllint disable-line rule:truthy push: branches: - "*" + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" pull_request: branches: - master - - oscd + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: env: EVTX_BASELINE_VERSION: v0.7 diff --git a/.github/workflows/sigma-validation.yml b/.github/workflows/sigma-validation.yml index b7e8be086..32a6ac351 100644 --- a/.github/workflows/sigma-validation.yml +++ b/.github/workflows/sigma-validation.yml @@ -4,9 +4,30 @@ on: push: branches: - "*" + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" pull_request: branches: - master + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: jobs: validate-sigma-rules: diff --git a/.yamllint b/.yamllint index d1641eedc..e03e62ea4 100644 --- a/.yamllint +++ b/.yamllint @@ -1,12 +1,21 @@ ---- # https://yamllint.readthedocs.io/en/latest/configuration.html extends: default + +ignore: + - .github/ + - deprecated/ + - other/godmode_sigma_rule.yml + - tests/ + - unsupported/ + rules: - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: {max: 2, max-start: 2, max-end: 2} - indentation: disable - line-length: disable - new-line-at-end-of-file: disable - trailing-spaces: disable + comments: + require-starting-space: true + min-spaces-from-content: 1 + comments-indentation: disable + document-start: {present: false} + empty-lines: {max: 2, max-start: 2, max-end: 2} + indentation: {spaces: 4} + line-length: disable + new-line-at-end-of-file: enable + trailing-spaces: {} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..f3630a95a --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,46 @@ +# Contributing to Sigma ๐Ÿง™โ€โ™‚๏ธ + +First off, thank you for considering contributing to Sigma! Your help is invaluable in keeping this project up-to-date and useful for the community. + +The following guidelines will help you understand how to contribute effectively. + +## ๐Ÿ“ Reporting False Positives Or Proposing New Detection Rule Ideas ๐Ÿ”Ž + +If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates. + +## ๐Ÿ› ๏ธ Submitting Pull Requests (PRs) + +1. Fork the [SigmaHQ repository](https://github.com/SigmaHQ/sigma) and clone your fork to your local machine. + +2. Create a new branch for your changes: + +``` +git checkout -b your-feature-branch +``` + +3. Make your changes and commit them to your branch: + +``` +git add . +git commit -m "Your commit message" +``` + +4. Push your changes to your fork: + +``` +git push origin your-feature-branch +``` + +5. Create a new Pull Request (PR) against the upstream repository: + +* Go to the [Sigma repository](https://github.com/SigmaHQ/sigma) on GitHub +* Click the "New Pull Request" button +* Choose your fork and your feature branch +* Add a clear and descriptive title and a detailed description of your changes +* Submit the Pull Request + +## ๐Ÿ“š Adding or Updating Detection Rules + +To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions document](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features. + +Thank you for contributing to Sigma! ๐Ÿง™โ€โ™‚๏ธ diff --git a/LICENSE.Detection.Rules.md b/LICENSE.Detection.Rules.md deleted file mode 100644 index 6475b1511..000000000 --- a/LICENSE.Detection.Rules.md +++ /dev/null @@ -1,17 +0,0 @@ -# Detection Rule License (DRL) 1.1 - -Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions: - -If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules: - -1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). - -2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable - -3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable - -If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules: - -1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). - -THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES. \ No newline at end of file diff --git a/Pipfile b/Pipfile index d17524674..a0538e611 100644 --- a/Pipfile +++ b/Pipfile @@ -6,8 +6,6 @@ verify_ssl = true [dev-packages] coverage = "~=5.0" yamllint = "~=1.21" -elasticsearch = "~=7.6" -elasticsearch-async = "~=6.2" pytest = "~=5.4" colorama = "*" setuptools = "*" diff --git a/_config.yml b/_config.yml deleted file mode 100644 index 2f7efbeab..000000000 --- a/_config.yml +++ /dev/null @@ -1 +0,0 @@ -theme: jekyll-theme-minimal \ No newline at end of file diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml index fc4e263db..b533f2f3d 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml @@ -1,4 +1,4 @@ -title: Turla Group Lateral Movement +title: Turla Group Lateral Movement id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: test description: Detects automated lateral movement by Turla group diff --git a/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml b/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml index fc8fdba44..29eb1d61f 100644 --- a/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml +++ b/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml @@ -19,12 +19,12 @@ logsource: detection: selection: - CommandLine|contains|all: - - '\AppData\Roaming\Oracle' - - '\java' - - '.exe ' + - '\AppData\Roaming\Oracle' + - '\java' + - '.exe ' - CommandLine|contains|all: - - 'cscript.exe' - - 'Retrive' - - '.vbs ' + - 'cscript.exe' + - 'Retrive' + - '.vbs ' condition: selection level: high diff --git a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml index e4d30de99..20ffd6827 100644 --- a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml +++ b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml @@ -24,36 +24,36 @@ logsource: detection: selection1: - Image|endswith: - - '\tasksche.exe' - - '\mssecsvc.exe' - - '\taskdl.exe' - - '\taskhsvc.exe' - - '\taskse.exe' - - '\111.exe' - - '\lhdfrgui.exe' - # - '\diskpart.exe' # cannot be used in a rule of level critical - - '\linuxnew.exe' - - '\wannacry.exe' + - '\tasksche.exe' + - '\mssecsvc.exe' + - '\taskdl.exe' + - '\taskhsvc.exe' + - '\taskse.exe' + - '\111.exe' + - '\lhdfrgui.exe' + # - '\diskpart.exe' # cannot be used in a rule of level critical + - '\linuxnew.exe' + - '\wannacry.exe' - Image|contains: 'WanaDecryptor' selection2: - CommandLine|contains|all: - - 'icacls' - - '/grant' - - 'Everyone:F' - - '/T' - - '/C' - - '/Q' + - 'icacls' + - '/grant' + - 'Everyone:F' + - '/T' + - '/C' + - '/Q' - CommandLine|contains|all: - - 'bcdedit' - - '/set' - - '{default}' - - 'recoveryenabled' - - 'no' + - 'bcdedit' + - '/set' + - '{default}' + - 'recoveryenabled' + - 'no' - CommandLine|contains|all: - - 'wbadmin' - - 'delete' - - 'catalog' - - '-quiet' + - 'wbadmin' + - 'delete' + - 'catalog' + - '-quiet' - CommandLine|contains: '@Please_Read_Me@.txt' condition: 1 of selection* fields: diff --git a/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml index fbffedc59..c5c5b765e 100644 --- a/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml +++ b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml @@ -24,7 +24,7 @@ detection: - '\iehelper' # ruag apt case - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra - '\userpipe' # ruag apt case - #- '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 + # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 condition: selection falsepositives: - Unlikely diff --git a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml index 524cbb3af..2fd608d27 100644 --- a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml +++ b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml @@ -29,9 +29,9 @@ detection: selection_extensions: - CommandLine|contains: '.dat",' - CommandLine|endswith: - - '.dll #1' - - '.dll" #1' - - '.dll",#1' + - '.dll #1' + - '.dll" #1' + - '.dll",#1' filter_main_exclude_temp: CommandLine|contains: '\AppData\Local\Temp\' condition: all of selection_* and not 1 of filter_main_* diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml index 2c43d48fe..9ab88ea7f 100644 --- a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml +++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml @@ -23,8 +23,8 @@ detection: selection: - CommandLine|contains: '-noni -ep bypass $' - CommandLine|contains|all: - - 'cyzfc.dat,' - - 'PointFunctionCall' + - 'cyzfc.dat,' + - 'PointFunctionCall' condition: selection falsepositives: - Unlikely diff --git a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml index bcbf4617e..1c0e3e1e6 100644 --- a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml +++ b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml @@ -22,12 +22,12 @@ logsource: detection: selection: - CommandLine|contains|all: - - 'powershell.exe mshta.exe http' - - '.hta' + - 'powershell.exe mshta.exe http' + - '.hta' - CommandLine|contains: - - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"' - - 'cmd.exe /c taskkill /im cmd.exe' - - "(New-Object System.Net.WebClient).UploadFile('http" + - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"' + - 'cmd.exe /c taskkill /im cmd.exe' + - "(New-Object System.Net.WebClient).UploadFile('http" condition: selection falsepositives: - Unknown diff --git a/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml b/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml index 2df5a6e76..2758a1833 100644 --- a/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml +++ b/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml @@ -28,20 +28,20 @@ detection: ParentCommandLine|endswith: '.exe' selection2: - CommandLine|contains|all: - - '/c' - - 'del' - - 'C:\Users\' - - '\AppData\Local\Temp\' + - '/c' + - 'del' + - 'C:\Users\' + - '\AppData\Local\Temp\' - CommandLine|contains|all: - - '/c' - - 'del' - - 'C:\Users\' - - '\Desktop\' + - '/c' + - 'del' + - 'C:\Users\' + - '\Desktop\' - CommandLine|contains|all: - - '/C' - - 'type nul >' - - 'C:\Users\' - - '\Desktop\' + - '/C' + - 'type nul >' + - 'C:\Users\' + - '\Desktop\' selection3: CommandLine|endswith: '.exe' condition: all of selection* diff --git a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml index 8bd337a2e..f223899dd 100644 --- a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml +++ b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -20,8 +20,8 @@ detection: selection: - CommandLine|contains: '-export dll_u' - CommandLine|endswith: - - ',dll_u' - - ' dll_u' + - ',dll_u' + - ' dll_u' condition: selection falsepositives: - Unlikely diff --git a/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml index f36a15d3d..e9371a218 100644 --- a/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml +++ b/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -19,21 +19,18 @@ logsource: detection: selection_cli: - CommandLine|contains: - - 'Temp\wtask.exe /create' - - '%windir:~-3,1%%PUBLIC:~-9,1%' - - '/tn "Security Script ' - - '%windir:~-1,1%' + - 'Temp\wtask.exe /create' + - '%windir:~-3,1%%PUBLIC:~-9,1%' + - '/tn "Security Script ' + - '%windir:~-1,1%' - CommandLine|contains|all: - - '/E:vbscript' - - 'C:\Users\' - - '.txt' - - '/F' + - '/E:vbscript' + - 'C:\Users\' + - '.txt' + - '/F' selection_img: Image|endswith: 'Temp\winwsh.exe' condition: 1 of selection_* -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unlikely level: high diff --git a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml index 194d19061..2c4388fc6 100644 --- a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml +++ b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -30,7 +30,7 @@ detection: - '.dll",Control_RunDLL' - '.dll'',Control_RunDLL' filter_ide: - ParentImage|endswith: '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe + ParentImage|endswith: '\tracker.exe' # When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown diff --git a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml index df2f46bd6..028262449 100644 --- a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml +++ b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -61,45 +61,45 @@ detection: - 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2' selection_hashes: - sha256: - - '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' - - '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b' - - '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5' - - '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29' - - '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77' - - 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3' - - '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022' - - '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883' - - '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e' - - '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7' - - 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1' - - '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c' - - '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945' - - '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9' - - '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79' - - '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf' - - '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08' - - '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef' - - '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070' + - '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' + - '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b' + - '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5' + - '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29' + - '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77' + - 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3' + - '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022' + - '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883' + - '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e' + - '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7' + - 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1' + - '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c' + - '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945' + - '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9' + - '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79' + - '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf' + - '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08' + - '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef' + - '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070' - sha1: - - '53a44c2396d15c3a03723fa5e5db54cafd527635' - - '9c5e496921e3bc882dc40694f1dcc3746a75db19' - - 'aeb573accfd95758550cf30bf04f389a92922844' - - '79ef78a797403a4ed1a616c68e07fff868a8650a' - - '4f6f38b4cec35e895d91c052b1f5a83d665c2196' - - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d' - - 'e841a63e47361a572db9a7334af459ddca11347a' - - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d' - - '2e94b305d6812a9f96e6781c888e48c7fb157b6b' - - 'dd44133716b8a241957b912fa6a02efde3ce3025' - - '8793bf166cb89eb55f0593404e4e933ab605e803' - - 'a39b57032dbb2335499a51e13470a7cd5d86b138' - - '41cc2b15c662bc001c0eb92f6cc222934f0beeea' - - 'd209430d6af54792371174e70e27dd11d3def7a7' - - '1c6452026c56efd2c94cea7e0f671eb55515edb0' - - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a' - - '4923d460e22fbbf165bbbaba168e5a46b8157d9f' - - 'f201504bd96e81d0d350c3a8332593ee1c9e09de' - - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' + - '53a44c2396d15c3a03723fa5e5db54cafd527635' + - '9c5e496921e3bc882dc40694f1dcc3746a75db19' + - 'aeb573accfd95758550cf30bf04f389a92922844' + - '79ef78a797403a4ed1a616c68e07fff868a8650a' + - '4f6f38b4cec35e895d91c052b1f5a83d665c2196' + - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d' + - 'e841a63e47361a572db9a7334af459ddca11347a' + - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d' + - '2e94b305d6812a9f96e6781c888e48c7fb157b6b' + - 'dd44133716b8a241957b912fa6a02efde3ce3025' + - '8793bf166cb89eb55f0593404e4e933ab605e803' + - 'a39b57032dbb2335499a51e13470a7cd5d86b138' + - '41cc2b15c662bc001c0eb92f6cc222934f0beeea' + - 'd209430d6af54792371174e70e27dd11d3def7a7' + - '1c6452026c56efd2c94cea7e0f671eb55515edb0' + - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a' + - '4923d460e22fbbf165bbbaba168e5a46b8157d9f' + - 'f201504bd96e81d0d350c3a8332593ee1c9e09de' + - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml index d3e7f7cee..c383d3d1b 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml @@ -11,8 +11,8 @@ tags: - attack.execution - attack.t1059.001 - detection.emerging_threats - #- sunburst - #- unc2452 + # - sunburst + # - unc2452 logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml index 9e9ae31f4..09a7e0ef9 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml @@ -2,9 +2,9 @@ title: CVE-2021-26858 Exchange Exploitation id: b06335b3-55ac-4b41-937e-16b7f5d57dfd status: test description: | - Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for - creation of non-standard files on disk by Exchange Serverโ€™s Unified Messaging service - which could indicate dropping web shells or other malicious content + Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for + creation of non-standard files on disk by Exchange Serverโ€™s Unified Messaging service + which could indicate dropping web shells or other malicious content references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index 207ed421b..7a0472f42 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -21,13 +21,13 @@ logsource: detection: selection_img: - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\pwsh.exe' + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'Cmd.Exe' - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_parent: ParentImage|endswith: '\elevation_service.exe' IntegrityLevel: 'System' diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml index 306072525..f8dc21431 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml @@ -20,8 +20,8 @@ detection: selection_tools: - Image|endswith: '\sqlcmd.exe' - CommandLine|contains: - - 'sqlcmd ' - - 'sqlcmd.exe' + - 'sqlcmd ' + - 'sqlcmd.exe' selection_svr: CommandLine|contains: ' -S localhost ' selection_query: diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index 5a420202f..c5611d4b5 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -18,8 +18,8 @@ detection: Image|endswith: '\GoogleUpdate.exe' filter_main_legit_paths: - Image|startswith: - - 'C:\Program Files\Google\' - - 'C:\Program Files (x86)\Google\' + - 'C:\Program Files\Google\' + - 'C:\Program Files (x86)\Google\' - Image|contains: '\AppData\Local\Google\Update\' condition: selection and not 1 of filter_main_* falsepositives: diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml index 2e608bce3..33cebae52 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -30,8 +30,8 @@ detection: selection_vsperfmon: - Image|contains: '\ProgramData\VSPerfMon\' - CommandLine|contains|all: - - 'schtasks' - - 'VSPerfMon' + - 'schtasks' + - 'VSPerfMon' selection_opera_1: Image|endswith: 'Opera_browser.exe' ParentImage|endswith: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index b4e0fafeb..7e06fd83b 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -24,12 +24,12 @@ detection: - '\Sysmon64.exe' filter_main_generic: - Image: - - 'C:\Windows\Sysmon.exe' - - 'C:\Windows\Sysmon64.exe' - - 'C:\Windows\System32\conhost.exe' - - 'wevtutil.exe' - - 'C:\WINDOWS\system32\wevtutil.exe' - - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes + - 'C:\Windows\Sysmon.exe' + - 'C:\Windows\Sysmon64.exe' + - 'C:\Windows\System32\conhost.exe' + - 'wevtutil.exe' + - 'C:\WINDOWS\system32\wevtutil.exe' + - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version. filter_main_null: Image: null diff --git a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml index 85ed258bd..7abb433b4 100644 --- a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml +++ b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml @@ -20,12 +20,12 @@ detection: Image|endswith: '\policydefinitions\postgresql.exe' selection2: - CommandLine|contains: - - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - - ' 1> \\\\127.0.0.1\ADMIN$\__16' + - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' + - ' 1> \\\\127.0.0.1\ADMIN$\__16' - CommandLine|contains|all: - - 'powershell -c ' - - '\comsvcs.dll MiniDump ' - - '\winupd.log full' + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - '\winupd.log full' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml index 7feb3cb75..053642181 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -17,16 +17,16 @@ detection: selection: # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names" EventID: - #- 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field) + # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field) - 30803 # Failed to establish a network connection. - 30804 # A network connection was disconnected. - 30806 # The client re-established its session to the server. - #- 31001 # Error (Doesn't contain the "ServerAddress" field) + # - 31001 # Error (Doesn't contain the "ServerAddress" field) filter_main_local_ips: ServerAddress|startswith: - - '10.' #10.0.0.0/8 - - '192.168.' #192.168.0.0/16 - - '172.16.' #172.16.0.0/12 + - '10.' # 10.0.0.0/8 + - '192.168.' # 192.168.0.0/16 + - '172.16.' # 172.16.0.0/12 - '172.17.' - '172.18.' - '172.19.' @@ -42,8 +42,8 @@ detection: - '172.29.' - '172.30.' - '172.31.' - - '127.' #127.0.0.0/8 - - '169.254.' #169.254.0.0/16 + - '127.' # 127.0.0.0/8 + - '169.254.' # 169.254.0.0/16 condition: selection and not 1 of filter_main_* falsepositives: - Some false positives may occur from external trusted servers. Apply additional filters accordingly diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index 85bd93a8b..0ce87ec11 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -44,7 +44,7 @@ detection: - '\MOVEitTransfer\wwwroot\human2.aspx.lnk' - '\MOVEitTransfer\wwwroot\human2.aspx' # Uncomment selection if you wanna threat hunt for additional artifacts - #selection_cmdline: + # selection_cmdline: # TargetFilename|contains: ':\Windows\TEMP\' # TargetFilename|endswith: '.cmdline' selection_compiled_asp: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index 9e66a653e..8921fb994 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -28,14 +28,14 @@ detection: selection_binaries: # Note: add additional binaries that the attacker might use - Image|endswith: - - '\cmd.exe' - - '\wscript.exe' + - '\cmd.exe' + - '\wscript.exe' - OriginalFileName: - - 'Cmd.Exe' - - 'cscript.exe' - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'wscript.exe' + - 'Cmd.Exe' + - 'cscript.exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'wscript.exe' condition: all of selection_* falsepositives: - Unlikely diff --git a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index 6f5d4e029..7ef130419 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -2,9 +2,9 @@ title: DarkGate - Autoit3.EXE File Creation By Uncommon Process id: 1a433e1d-03d2-47a6-8063-ece992cf4e73 status: experimental description: | - Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. - This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs - process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other + Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. + This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs + process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. references: - https://github.security.telekom.com/2023/08/darkgate-loader.html diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index 11e8e79b6..db07db000 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -2,8 +2,8 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d status: experimental description: | - Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within - the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate + Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within + the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. references: - https://github.security.telekom.com/2023/08/darkgate-loader.html @@ -28,8 +28,8 @@ detection: - '\msiexec.exe' filter_main_legit_autoit_location: Image|endswith: - - ':\Program Files (x86)\AutoIt3\AutoIt3.exe' - - ':\Program Files\AutoIt3\AutoIt3.exe' + - ':\Program Files (x86)\AutoIt3\AutoIt3.exe' + - ':\Program Files\AutoIt3\AutoIt3.exe' condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unlikely diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index 00dd20dfe..53850ee25 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -19,11 +19,11 @@ detection: selection: - Image|endswith: '\QbotUninstall.exe' - Hashes|contains: - - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5' - - 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180' - - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' - - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' - - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0' + - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5' + - 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180' + - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' + - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' + - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0' condition: selection falsepositives: - Unlikely diff --git a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml index c6a14bb7e..3254f3319 100644 --- a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml +++ b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml @@ -20,5 +20,5 @@ detection: QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+' condition: selection falsepositives: - - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk) + - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk) level: high diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index 3b8b350cf..6f1f5d6b5 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -48,20 +48,20 @@ detection: - 'MD5=7FAEA2B01796B80D180399040BB69835' selection_hashes_2: - sha256: - - '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896' - - '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03' - - 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952' - - '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423' + - '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896' + - '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03' + - 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952' + - '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423' - sha1: - - 'BF939C9C261D27EE7BB92325CC588624FCA75429' - - '20D554A80D759C50D6537DD7097FED84DD258B3E' - - '894E7D4FFD764BB458809C7F0643694B036EAD30' - - '3B3E778B647371262120A523EB873C20BB82BEAF' + - 'BF939C9C261D27EE7BB92325CC588624FCA75429' + - '20D554A80D759C50D6537DD7097FED84DD258B3E' + - '894E7D4FFD764BB458809C7F0643694B036EAD30' + - '3B3E778B647371262120A523EB873C20BB82BEAF' - md5: - - '74BC2D0B6680FAA1A5A76B27E5479CBC' - - '82187AD3F0C6C225E2FBA0C867280CC9' - - '11BC82A9BD8297BD0823BCE5D6202082' - - '7FAEA2B01796B80D180399040BB69835' + - '74BC2D0B6680FAA1A5A76B27E5479CBC' + - '82187AD3F0C6C225E2FBA0C867280CC9' + - '11BC82A9BD8297BD0823BCE5D6202082' + - '7FAEA2B01796B80D180399040BB69835' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index 1a5bc33c3..a0fda2d7f 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -62,32 +62,32 @@ detection: - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9' selection_hashes_2: - sha256: - - 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC' - - '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02' - - 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE' - - 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405' - - '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734' - - 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203' - - 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868' - - '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983' + - 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC' + - '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02' + - 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE' + - 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405' + - '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734' + - 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203' + - 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868' + - '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983' - sha1: - - '480DC408EF50BE69EBCF84B95750F7E93A8A1859' - - '3B43A5D8B83C637D00D769660D01333E88F5A187' - - '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA' - - 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1' - - '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB' - - '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5' - - 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA' - - 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E' + - '480DC408EF50BE69EBCF84B95750F7E93A8A1859' + - '3B43A5D8B83C637D00D769660D01333E88F5A187' + - '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA' + - 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1' + - '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB' + - '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5' + - 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA' + - 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E' - md5: - - 'BB915073385DD16A846DFA318AFA3C19' - - '08D79E1FFFA244CC0DC61F7D2036ACA9' - - '4965EDF659753E3C05D800C6C8A23A7A' - - '9833A4779B69B38E3E51F04E395674C6' - - '704DB9184700481A56E5100FB56496CE' - - '8EE6802F085F7A9DF7E0303E65722DC0' - - 'F3D4144860CA10BA60F7EF4D176CC736' - - '0EEB1C0133EB4D571178B2D9D14CE3E9' + - 'BB915073385DD16A846DFA318AFA3C19' + - '08D79E1FFFA244CC0DC61F7D2036ACA9' + - '4965EDF659753E3C05D800C6C8A23A7A' + - '9833A4779B69B38E3E51F04E395674C6' + - '704DB9184700481A56E5100FB56496CE' + - '8EE6802F085F7A9DF7E0303E65722DC0' + - 'F3D4144860CA10BA60F7EF4D176CC736' + - '0EEB1C0133EB4D571178B2D9D14CE3E9' selection_pe_1: - OriginalFileName: '3CXDesktopApp.exe' - Image|endswith: '\3CXDesktopApp.exe' diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml index 3d0efd0ed..1763ac602 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -24,37 +24,37 @@ detection: - '\powershell_ise.exe' selection_special_child_powershell_cli: - CommandLine|contains: - - ' echo ' - - '-dumpmode' - - '-ssh' - - '.dmp' - - 'add-MpPreference' - - 'adscredentials' - - 'bitsadmin' - - 'certutil' - - 'csvhost.exe' - - 'DownloadFile' - - 'DownloadString' - - 'dsquery' - - 'ekern.exe' - - 'FromBase64String' - - 'iex ' - - 'iex(' - - 'Invoke-Expression' - - 'Invoke-WebRequest' - - 'localgroup administrators' - - 'net group' - - 'net user' - - 'o365accountconfiguration' - - 'query session' - - 'samaccountname=' - - 'set-MpPreference' - - 'svhost.exe' - - 'System.IO.Compression' - - 'System.IO.MemoryStream' - - 'usoprivate' - - 'usoshared' - - 'whoami' + - ' echo ' + - '-dumpmode' + - '-ssh' + - '.dmp' + - 'add-MpPreference' + - 'adscredentials' + - 'bitsadmin' + - 'certutil' + - 'csvhost.exe' + - 'DownloadFile' + - 'DownloadString' + - 'dsquery' + - 'ekern.exe' + - 'FromBase64String' + - 'iex ' + - 'iex(' + - 'Invoke-Expression' + - 'Invoke-WebRequest' + - 'localgroup administrators' + - 'net group' + - 'net user' + - 'o365accountconfiguration' + - 'query session' + - 'samaccountname=' + - 'set-MpPreference' + - 'svhost.exe' + - 'System.IO.Compression' + - 'System.IO.MemoryStream' + - 'usoprivate' + - 'usoshared' + - 'whoami' - CommandLine|re: '[-/โ€“][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' selection_special_child_lsass_1: CommandLine|contains: 'lsass' @@ -84,13 +84,13 @@ detection: - '/add' selection_child_reg: - CommandLine|contains|all: - - 'reg add' - - 'DisableAntiSpyware' - - '\Microsoft\Windows Defender' + - 'reg add' + - 'DisableAntiSpyware' + - '\Microsoft\Windows Defender' - CommandLine|contains|all: - - 'reg add' - - 'DisableRestrictedAdmin' - - 'CurrentControlSet\Control\Lsa' + - 'reg add' + - 'DisableRestrictedAdmin' + - 'CurrentControlSet\Control\Lsa' selection_child_wmic_1: CommandLine|contains|all: - 'wmic' diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml index 46383d0ad..06ca88def 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -26,37 +26,37 @@ detection: - '\powershell_ise.exe' selection_special_child_powershell_cli: - CommandLine|contains: - - ' echo ' - - '-dumpmode' - - '-ssh' - - '.dmp' - - 'add-MpPreference' - - 'adscredentials' - - 'bitsadmin' - - 'certutil' - - 'csvhost.exe' - - 'DownloadFile' - - 'DownloadString' - - 'dsquery' - - 'ekern.exe' - - 'FromBase64String' - - 'iex ' - - 'iex(' - - 'Invoke-Expression' - - 'Invoke-WebRequest' - - 'localgroup administrators' - - 'net group' - - 'net user' - - 'o365accountconfiguration' - - 'query session' - - 'samaccountname=' - - 'set-MpPreference' - - 'svhost.exe' - - 'System.IO.Compression' - - 'System.IO.MemoryStream' - - 'usoprivate' - - 'usoshared' - - 'whoami' + - ' echo ' + - '-dumpmode' + - '-ssh' + - '.dmp' + - 'add-MpPreference' + - 'adscredentials' + - 'bitsadmin' + - 'certutil' + - 'csvhost.exe' + - 'DownloadFile' + - 'DownloadString' + - 'dsquery' + - 'ekern.exe' + - 'FromBase64String' + - 'iex ' + - 'iex(' + - 'Invoke-Expression' + - 'Invoke-WebRequest' + - 'localgroup administrators' + - 'net group' + - 'net user' + - 'o365accountconfiguration' + - 'query session' + - 'samaccountname=' + - 'set-MpPreference' + - 'svhost.exe' + - 'System.IO.Compression' + - 'System.IO.MemoryStream' + - 'usoprivate' + - 'usoshared' + - 'whoami' - CommandLine|re: '[-/โ€“][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' selection_special_child_lsass_1: CommandLine|contains: 'lsass' @@ -86,13 +86,13 @@ detection: - '/add' selection_child_reg: - CommandLine|contains|all: - - 'reg add' - - 'DisableAntiSpyware' - - '\Microsoft\Windows Defender' + - 'reg add' + - 'DisableAntiSpyware' + - '\Microsoft\Windows Defender' - CommandLine|contains|all: - - 'reg add' - - 'DisableRestrictedAdmin' - - 'CurrentControlSet\Control\Lsa' + - 'reg add' + - 'DisableRestrictedAdmin' + - 'CurrentControlSet\Control\Lsa' selection_child_wmic_1: CommandLine|contains|all: - 'wmic' diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml index 294650529..3f5d5e8d8 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -22,9 +22,9 @@ detection: filter_main_local_ips: # Note: Uncomment this filter if you want to exclude local IPs CommandLine|contains: - - 'https://10.' #10.0.0.0/8 - - 'https://192.168.' #192.168.0.0/16 - - 'https://172.16.' #172.16.0.0/12 + - 'https://10.' # 10.0.0.0/8 + - 'https://192.168.' # 192.168.0.0/16 + - 'https://172.16.' # 172.16.0.0/12 - 'https://172.17.' - 'https://172.18.' - 'https://172.19.' @@ -40,8 +40,8 @@ detection: - 'https://172.29.' - 'https://172.30.' - 'https://172.31.' - - 'https://127.' #127.0.0.0/8 - - 'https://169.254.' #169.254.0.0/16 + - 'https://127.' # 127.0.0.0/8 + - 'https://169.254.' # 169.254.0.0/16 condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml index 1814f720a..725e9a0f7 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml @@ -21,5 +21,5 @@ detection: Date: '%ClosingTime%' condition: selection falsepositives: - - User doing actual work outside of normal business hours. + - User doing actual work outside of normal business hours. level: low diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index a4c1bc0ae..f1af39e26 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -28,5 +28,5 @@ detection: - failure condition: selection falsepositives: - - Not using a PAW/SAW in the environment + - Not using a PAW/SAW in the environment level: high diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index ab7e2cde5..6dc103157 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -23,5 +23,5 @@ detection: DeviceInfo: '%UnApprovedDevice%' condition: selection falsepositives: - - A legit admin not following proper processes + - A legit admin not following proper processes level: high diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml index a0d7819fa..09fd88ec7 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml @@ -23,5 +23,5 @@ detection: Initiatied.By: '%ApprovedUserUpn%' condition: selection falsepositives: - - An admin doing actual work outside of normal business hours + - An admin doing actual work outside of normal business hours level: high diff --git a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index aba0ae570..6d9abac3e 100644 --- a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'echo ' - '%userdomain%' condition: selection diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index 08f0fce2d..11b6db1db 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -50,11 +50,11 @@ detection: Image|endswith: '\TiWorker.exe' filter_main_programfiles: - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' - TargetFilename|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' filter_main_defender: Image|startswith: - 'C:\ProgramData\Microsoft\Windows Defender\' @@ -91,7 +91,7 @@ detection: TargetFilename|startswith: 'C:\WINDOWS\TEMP\' condition: selection and not 1 of filter_* falsepositives: - #Please contribute to FP to increase the level + # Please contribute to FP to increase the level - Software installers - Update utilities - 32bit applications launching their 64bit versions diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml index e9e3c1326..62673a95f 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml @@ -24,10 +24,10 @@ detection: - Product: 'The curl executable' selection_cli: - CommandLine|contains: - - ' --form' # Also covers the "--form-string" - - ' --upload-file ' - - ' --data ' - - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + - ' --form' # Also covers the "--form-string" + - ' --upload-file ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection filter_optional_localhost: CommandLine|contains: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml index c039a673a..1ebb8ae27 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml @@ -20,11 +20,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains: '/TRANSPORT:QUIC' condition: all of selection_* diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml index 4e315617d..15b6d4dcc 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml @@ -17,11 +17,11 @@ logsource: detection: selection_powershell: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' - Description: 'Windows Powershell' - Product: 'PowerShell Core 6' selection_length: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index b6abd4b03..299dec08e 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cmdlet: CommandLine|contains: - 'Import-Module ' diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index 32deeb8eb..556d1bf32 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -1,4 +1,4 @@ -title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly +title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly id: d81a9fc6-55db-4461-b962-0e78fea5b0ad related: - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32 diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index 82f0c1908..6d49c9442 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -16,54 +16,51 @@ logsource: detection: selection: - Signature|startswith: - - 'HTOOL' - - 'HKTL' - - 'SecurityTool' - - 'Adfind' - - 'ATK/' - - 'Exploit.Script.CVE' - # - 'FRP.' - - 'PWS.' - - 'PWSX' + - 'HTOOL' + - 'HKTL' + - 'SecurityTool' + - 'Adfind' + - 'ATK/' + - 'Exploit.Script.CVE' + # - 'FRP.' + - 'PWS.' + - 'PWSX' - Signature|contains: - - 'Hacktool' - - 'ATK/' # Sophos - - 'Potato' - - 'Rozena' - - 'Sbelt' - - 'Seatbelt' - - 'SecurityTool' - - 'SharpDump' - - 'Sliver' - - 'Splinter' - - 'Swrort' - - 'Impacket' - - 'Koadic' - - 'Lazagne' - - 'Metasploit' - - 'Meterpreter' - - 'MeteTool' - - 'Mimikatz' - - 'Mpreter' - - 'Nighthawk' - - 'PentestPowerShell' - - 'PowerSploit' - - 'PowerSSH' - - 'PshlSpy' - - 'PSWTool' - - 'PWCrack' - - 'Brutel' - - 'BruteR' - - 'Cobalt' - - 'COBEACON' - - 'Cometer' - - 'DumpCreds' - - 'FastReverseProxy' - - 'PWDump' + - 'Hacktool' + - 'ATK/' # Sophos + - 'Potato' + - 'Rozena' + - 'Sbelt' + - 'Seatbelt' + - 'SecurityTool' + - 'SharpDump' + - 'Sliver' + - 'Splinter' + - 'Swrort' + - 'Impacket' + - 'Koadic' + - 'Lazagne' + - 'Metasploit' + - 'Meterpreter' + - 'MeteTool' + - 'Mimikatz' + - 'Mpreter' + - 'Nighthawk' + - 'PentestPowerShell' + - 'PowerSploit' + - 'PowerSSH' + - 'PshlSpy' + - 'PSWTool' + - 'PWCrack' + - 'Brutel' + - 'BruteR' + - 'Cobalt' + - 'COBEACON' + - 'Cometer' + - 'DumpCreds' + - 'FastReverseProxy' + - 'PWDump' condition: selection -fields: - - FileName - - User falsepositives: - Unlikely level: high diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index 05ed559e0..dd92efed8 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -21,26 +21,23 @@ detection: selection: - Signature|startswith: 'PWS' - Signature|contains: - - 'DumpCreds' - - 'Mimikatz' - - 'PWCrack' - - 'HTool/WCE' - - 'PSWTool' - - 'PWDump' - - 'SecurityTool' - - 'PShlSpy' - - 'Rubeus' - - 'Kekeo' - - 'LsassDump' - - 'Outflank' - - 'DumpLsass' - - 'SharpDump' - - 'PWSX' - - 'PWS.' + - 'DumpCreds' + - 'Mimikatz' + - 'PWCrack' + - 'HTool/WCE' + - 'PSWTool' + - 'PWDump' + - 'SecurityTool' + - 'PShlSpy' + - 'Rubeus' + - 'Kekeo' + - 'LsassDump' + - 'Outflank' + - 'DumpLsass' + - 'SharpDump' + - 'PWSX' + - 'PWS.' condition: selection -fields: - - FileName - - User falsepositives: - Unlikely level: critical diff --git a/rules/category/antivirus/av_webshell.yml b/rules/category/antivirus/av_webshell.yml index 5ed857906..e0b0fa200 100644 --- a/rules/category/antivirus/av_webshell.yml +++ b/rules/category/antivirus/av_webshell.yml @@ -24,63 +24,60 @@ logsource: detection: selection: - Signature|startswith: - - 'PHP.' - - 'JSP.' - - 'ASP.' - - 'Perl.' - - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops - - 'IIS/BackDoor' - - 'JAVA/Backdoor' - - 'Troj/ASP' - - 'Troj/PHP' - - 'Troj/JSP' + - 'PHP.' + - 'JSP.' + - 'ASP.' + - 'Perl.' + - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - 'IIS/BackDoor' + - 'JAVA/Backdoor' + - 'Troj/ASP' + - 'Troj/PHP' + - 'Troj/JSP' - Signature|contains: - - 'Webshell' - - 'Chopper' - - 'SinoChoper' - - 'ASPXSpy' - - 'Aspdoor' - - 'filebrowser' - - 'PHP_' - - 'JSP_' - - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops - - 'PHP:' - - 'JSP:' - - 'ASP:' - - 'Perl:' - - 'PHP/' - - 'JSP/' - - 'ASP/' - - 'Perl/' - - 'PHPShell' - - 'Trojan.PHP' - - 'Trojan.ASP' - - 'Trojan.JSP' - - 'Trojan.VBS' - - 'PHP/Agent' - - 'ASP/Agent' - - 'JSP/Agent' - - 'VBS/Agent' - - 'Backdoor/PHP' - - 'Backdoor/JSP' - - 'Backdoor/ASP' - - 'Backdoor/VBS' - - 'Backdoor/Java' - - 'PHP.Agent' - - 'ASP.Agent' - - 'JSP.Agent' - - 'VBS.Agent' - - 'Backdoor.PHP' - - 'Backdoor.JSP' - - 'Backdoor.ASP' - - 'Backdoor.VBS' - - 'Backdoor.Java' - - 'PShlSpy' - - 'C99shell' + - 'Webshell' + - 'Chopper' + - 'SinoChoper' + - 'ASPXSpy' + - 'Aspdoor' + - 'filebrowser' + - 'PHP_' + - 'JSP_' + - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - 'PHP:' + - 'JSP:' + - 'ASP:' + - 'Perl:' + - 'PHP/' + - 'JSP/' + - 'ASP/' + - 'Perl/' + - 'PHPShell' + - 'Trojan.PHP' + - 'Trojan.ASP' + - 'Trojan.JSP' + - 'Trojan.VBS' + - 'PHP/Agent' + - 'ASP/Agent' + - 'JSP/Agent' + - 'VBS/Agent' + - 'Backdoor/PHP' + - 'Backdoor/JSP' + - 'Backdoor/ASP' + - 'Backdoor/VBS' + - 'Backdoor/Java' + - 'PHP.Agent' + - 'ASP.Agent' + - 'JSP.Agent' + - 'VBS.Agent' + - 'Backdoor.PHP' + - 'Backdoor.JSP' + - 'Backdoor.ASP' + - 'Backdoor.VBS' + - 'Backdoor.Java' + - 'PShlSpy' + - 'C99shell' condition: selection -fields: - - FileName - - User falsepositives: - Unlikely level: high diff --git a/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml index 6ac3e03f9..f7b05b387 100644 --- a/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml @@ -16,7 +16,7 @@ logsource: detection: selection: eventSource: 'glue.amazonaws.com' - eventName: + eventName: - 'CreateDevEndpoint' - 'DeleteDevEndpoint' - 'UpdateDevEndpoint' diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml index 77db4026d..b038d3f08 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml @@ -23,7 +23,7 @@ logsource: service: activitylogs detection: selection: - operationName|startswith: + operationName|startswith: - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' operationName|endswith: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml index a17d006c8..cecd0cb48 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml @@ -18,5 +18,5 @@ detection: riskEventType: 'anonymizedIPAddress' condition: selection falsepositives: - - We recommend investigating the sessions flagged by this detection in the context of other sign-ins + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml index 94d9179b9..17c116f1d 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml @@ -1,4 +1,4 @@ -title: Azure AD Account Credential Leaked +title: Azure AD Account Credential Leaked id: 19128e5e-4743-48dc-bd97-52e5775af817 status: experimental description: Indicates that the user's valid credentials have been leaked. diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 7b8e610ba..50fb5e72c 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -28,5 +28,5 @@ fields: - 'org' - 'actor_location.country_code' falsepositives: - - Validate the deletion activity is permitted. The "actor" field need to be validated. + - Validate the deletion activity is permitted. The "actor" field need to be validated. level: medium diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml index 9a657fd34..02c00f418 100644 --- a/rules/cloud/github/github_disable_high_risk_configuration.yml +++ b/rules/cloud/github/github_disable_high_risk_configuration.yml @@ -36,5 +36,5 @@ fields: - 'repository_public' - '@timestamp' falsepositives: - - Approved administrator/owner activities. + - Approved administrator/owner activities. level: high diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml index 384d64330..a23d3a98b 100644 --- a/rules/cloud/github/github_new_org_member.yml +++ b/rules/cloud/github/github_new_org_member.yml @@ -30,5 +30,5 @@ fields: - 'repository_public' - '@timestamp' falsepositives: - - Organization approved new members + - Organization approved new members level: informational diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 105a8b6d0..96767ef89 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -30,5 +30,5 @@ fields: - 'org' - 'actor_location.country_code' falsepositives: - - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor". + - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor". level: low diff --git a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml index d0c88f237..9328341cc 100644 --- a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml @@ -1,8 +1,8 @@ title: Modify System Firewall id: 323ff3f5-0013-4847-bbd4-250b5edb62cc related: - - id: 53059bc0-1472-438b-956a-7508a94a91f0 - type: similar + - id: 53059bc0-1472-438b-956a-7508a94a91f0 + type: similar status: experimental description: | Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 7c2f8de74..47b022810 100644 --- a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -6,7 +6,7 @@ description: | This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) references: - - 'https://github.com/Neo23x0/auditd' + - https://github.com/Neo23x0/auditd author: Marie Euler date: 2020/05/18 modified: 2021/11/27 diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index 7931a51fe..02cd87e73 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -19,15 +19,15 @@ detection: CommandLine|contains: 'base64 ' selection_exec: - CommandLine|contains: - - '| bash ' - - '| sh ' - - '|bash ' - - '|sh ' + - '| bash ' + - '| sh ' + - '|bash ' + - '|sh ' - CommandLine|endswith: - - ' |sh' - - '| bash' - - '| sh' - - '|bash' + - ' |sh' + - '| bash' + - '| sh' + - '|bash' condition: all of selection_* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml index b82592fd4..b5017a42e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -16,11 +16,11 @@ logsource: detection: selection: CommandLine|contains: - - "IyEvYmluL2Jhc2" #!/bin/bash" - - "IyEvYmluL2Rhc2" #!/bin/dash" - - "IyEvYmluL3pza" #!/bin/zsh" - - "IyEvYmluL2Zpc2" #!/bin/fish - - "IyEvYmluL3No" # !/bin/sh" + - "IyEvYmluL2Jhc2" # Note: #!/bin/bash" + - "IyEvYmluL2Rhc2" # Note: #!/bin/dash" + - "IyEvYmluL3pza" # Note: #!/bin/zsh" + - "IyEvYmluL2Zpc2" # Note: #!/bin/fish + - "IyEvYmluL3No" # Note: # !/bin/sh" condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml index 07fd2d3e1..bab900d84 100644 --- a/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml +++ b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml @@ -18,21 +18,21 @@ logsource: detection: selection: - Image|endswith: - # Add more as you see fit - - '/sqlmap' - - '/teamserver' - - '/aircrack-ng' - - '/john' - - '/setoolkit' - - '/wpscan' - - '/hydra' - - '/nikto' - # eBPF related malicious tools/poc's - - '/ebpfkit' - - '/bpfdos' - - '/exechijack' - - '/pidhide' - - '/writeblocker' + # Add more as you see fit + - '/sqlmap' + - '/teamserver' + - '/aircrack-ng' + - '/john' + - '/setoolkit' + - '/wpscan' + - '/hydra' + - '/nikto' + # eBPF related malicious tools/poc's + - '/ebpfkit' + - '/bpfdos' + - '/exechijack' + - '/pidhide' + - '/writeblocker' - Image|contains: '/linpeas' condition: selection falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml index e44374202..dde4d2f5a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -33,8 +33,8 @@ detection: - 'ufw-logging-allow' - 'ufw6-logging-deny' - 'ufw6-logging-allow' - #- 'ufw-reject-output' - #- 'ufw-track-inputt' + # - 'ufw-reject-output' + # - 'ufw-track-inputt' condition: all of selection_* falsepositives: - Network administrators diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml index bd8566d6f..2504e3cff 100644 --- a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml +++ b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml @@ -16,9 +16,9 @@ logsource: detection: selection: Image|endswith: - - '/kill' - - '/pkill' - - '/killall' + - '/kill' + - '/pkill' + - '/killall' condition: selection falsepositives: - Likely diff --git a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml index a8949f5d4..4324459a7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml @@ -19,8 +19,8 @@ logsource: detection: selection_nc: Image|endswith: - - '/nc' - - '/ncat' + - '/nc' + - '/ncat' selection_flags: CommandLine|contains: - ' -c ' diff --git a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml index 60cb2bfeb..51ae4c429 100644 --- a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml @@ -18,13 +18,13 @@ detection: CommandLine|contains: ' -e ' selection_content: - CommandLine|contains|all: - - 'fdopen(' - - '::Socket::INET' + - 'fdopen(' + - '::Socket::INET' - CommandLine|contains|all: - - 'Socket' - - 'connect' - - 'open' - - 'exec' + - 'Socket' + - 'connect' + - 'open' + - 'exec' condition: all of selection_* falsepositives: - Unlikely diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index 6136eb2eb..add5b3a11 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -19,12 +19,12 @@ logsource: detection: selection_img: - Image|endswith: - - '/python' - - '/python2' - - '/python3' + - '/python' + - '/python2' + - '/python3' - Image|contains: - - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink - - '/python3.' + - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink + - '/python3.' selection_cli_1: CommandLine|contains|all: - 'import pty' diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml index a8f917a03..9faab9fe4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml @@ -20,9 +20,9 @@ detection: selection_2: Image|endswith: '/ping' CommandLine|contains: - - ' 10.' #10.0.0.0/8 - - ' 192.168.' #192.168.0.0/16 - - ' 172.16.' #172.16.0.0/12 + - ' 10.' # 10.0.0.0/8 + - ' 192.168.' # 192.168.0.0/16 + - ' 172.16.' # 172.16.0.0/12 - ' 172.17.' - ' 172.18.' - ' 172.19.' @@ -38,8 +38,8 @@ detection: - ' 172.29.' - ' 172.30.' - ' 172.31.' - - ' 127.' #127.0.0.0/8 - - ' 169.254.' #169.254.0.0/16 + - ' 127.' # 127.0.0.0/8 + - ' 169.254.' # 169.254.0.0/16 condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index b969aa119..4e882da0b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -26,10 +26,10 @@ detection: Image|endswith: '/curl' selection_cli: - CommandLine|contains: - - ' --form' # Also covers the "--form-string" - - ' --upload-file ' - - ' --data ' - - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + - ' --form' # Also covers the "--form-string" + - ' --upload-file ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection filter_optional_localhost: CommandLine|contains: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 2cb76751f..f520d0b93 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -22,12 +22,12 @@ detection: - '/shred' selection_history: - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' + - '/.bash_history' + - '/.zsh_history' - CommandLine|endswith: - - '_history' - - '.history' - - 'zhistory' + - '_history' + - '.history' + - 'zhistory' condition: all of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index c6946d370..74f8b6229 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -23,12 +23,12 @@ detection: - '/more' selection_history: - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' + - '/.bash_history' + - '/.zsh_history' - CommandLine|endswith: - - '_history' - - '.history' - - 'zhistory' + - '_history' + - '.history' + - 'zhistory' condition: all of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index 8714f5683..ea7c51a21 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -20,15 +20,15 @@ detection: - 'bash -c ' selection_exec: - CommandLine|contains: - - '| bash ' - - '| sh ' - - '|bash ' - - '|sh ' + - '| bash ' + - '| sh ' + - '|bash ' + - '|sh ' - CommandLine|endswith: - - '| bash' - - '| sh' - - '|bash' - - ' |sh' + - '| bash' + - '| sh' + - '|bash' + - ' |sh' condition: all of selection* falsepositives: - Legitimate software that uses these patterns diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml index 81f005bf6..55dd6c029 100644 --- a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -21,7 +21,7 @@ detection: CommandLine|contains: '-s +' selection_dd: Image|endswith: '/dd' - CommandLine|contains: + CommandLine|contains: - 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding - 'if=/dev/random' # high-quality random data - 'if=/dev/urandom' # low-quality random data diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index c43d0806a..0ab601940 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -18,7 +18,7 @@ logsource: category: process_creation product: macos detection: - selection: #adds to admin group + selection: # adds to admin group Image|endswith: '/dscl' CommandLine|contains|all: - ' -append ' diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index d28829fa4..cdb55c7d2 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -18,7 +18,7 @@ detection: selection: Image|endswith: '/dseditgroup' CommandLine|contains|all: - - ' -o edit ' #edit operation + - ' -o edit ' # edit operation - ' -a ' # username - ' -t user' - 'admin' # Group name diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml index 278eb9012..c2d032152 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml @@ -25,8 +25,8 @@ detection: - 'NSData.dataWithContentsOfURL' selection_js: - CommandLine|contains|all: - - ' -l ' - - 'JavaScript' + - ' -l ' + - 'JavaScript' - CommandLine|contains: '.js' condition: all of selection_* fields: diff --git a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml index 6c34e45b0..40d2eed7e 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml @@ -20,9 +20,9 @@ detection: selection_2: Image|endswith: '/ping' CommandLine|contains: - - ' 10.' #10.0.0.0/8 - - ' 192.168.' #192.168.0.0/16 - - ' 172.16.' #172.16.0.0/12 + - ' 10.' # 10.0.0.0/8 + - ' 192.168.' # 192.168.0.0/16 + - ' 172.16.' # 172.16.0.0/12 - ' 172.17.' - ' 172.18.' - ' 172.19.' @@ -38,8 +38,8 @@ detection: - ' 172.29.' - ' 172.30.' - ' 172.31.' - - ' 127.' #127.0.0.0/8 - - ' 169.254.' #169.254.0.0/16 + - ' 127.' # 127.0.0.0/8 + - ' 169.254.' # 169.254.0.0/16 condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 733f3b595..0a7ba1c03 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -28,28 +28,28 @@ detection: ParentImage|endswith: '/Script Editor' selection_img: - Image|endswith: - - '/curl' - - '/bash' - - '/sh' - - '/zsh' - - '/dash' - - '/fish' - - '/osascript' - - '/mktemp' - - '/chmod' - - '/php' - - '/nohup' - - '/openssl' - - '/plutil' - - '/PlistBuddy' - - '/xattr' - - '/sqlite' - - '/funzip' - - '/popen' + - '/curl' + - '/bash' + - '/sh' + - '/zsh' + - '/dash' + - '/fish' + - '/osascript' + - '/mktemp' + - '/chmod' + - '/php' + - '/nohup' + - '/openssl' + - '/plutil' + - '/PlistBuddy' + - '/xattr' + - '/sqlite' + - '/funzip' + - '/popen' - Image|contains: - - 'python' - - 'perl' + - 'python' + - 'perl' condition: all of selection_* falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml index 1dffb40a1..cca1a32d4 100644 --- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -8,10 +8,10 @@ description: | Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' references: - - 'https://twitter.com/neu5ron/status/1346245602502443009' - - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' - - 'https://tools.ietf.org/html/rfc2929#section-2.1' - - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' + - https://twitter.com/neu5ron/status/1346245602502443009 + - https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma + - https://tools.ietf.org/html/rfc2929#section-2.1 + - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS author: '@neu5ron, SOC Prime Team, Corelight' date: 2021/05/04 modified: 2022/11/29 diff --git a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml index 63e5bee76..58a2c26ec 100644 --- a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -34,13 +34,13 @@ detection: client_header_names|contains: 'AUTHORIZATION' too_small_http_client_body: request_body_len: 0 - #winrm_ports: + # winrm_ports: # id.resp_p: # - 5985 # - 5986 # - 1270 condition: selection and not auth_header and not too_small_http_client_body - #condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule + # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule fields: - id.orig_h - id.resp_h diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 6d0bfde84..21c5ef4b6 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -36,10 +36,10 @@ detection: - '172.31.' - 'fd' - '2620:83:800f' - #approved_rdp: - #dst_ip: - #- x.x.x.x - condition: not selection #and not approved_rdp + # approved_rdp: + # dst_ip: + # - x.x.x.x + condition: not selection # and not approved_rdp falsepositives: - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet. fields: diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index a5f57d026..67139a7f6 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -23,7 +23,7 @@ detection: selection: path: '\\\*\IPC$' name: 'atsvc' - #Accesses: '*WriteData*' + # Accesses: '*WriteData*' condition: selection falsepositives: - Unknown diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml index 1e53895de..a075b1b9d 100644 --- a/rules/web/proxy_generic/proxy_ua_malware.yml +++ b/rules/web/proxy_generic/proxy_ua_malware.yml @@ -117,7 +117,7 @@ detection: - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880 - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880 - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880 - - 'OK' #Nymaim - https://twitter.com/suyog41/status/1558051450797690880 + - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880 - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880 - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880 condition: selection diff --git a/rules/web/proxy_generic/proxy_ua_susp.yml b/rules/web/proxy_generic/proxy_ua_susp.yml index 8718bfb5f..f88ff9702 100644 --- a/rules/web/proxy_generic/proxy_ua_susp.yml +++ b/rules/web/proxy_generic/proxy_ua_susp.yml @@ -41,15 +41,10 @@ detection: falsepositives: - c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000) - - '.acrobat.com' - - '.adobe.com' - - '.adobe.io' + - '.acrobat.com' + - '.adobe.com' + - '.adobe.io' condition: 1 of selection* and not falsepositives -fields: - - ClientIP - - c-uri - - c-useragent - - cs-host falsepositives: - Unknown level: high diff --git a/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml b/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml index fa45abe18..5ae2c3ea6 100644 --- a/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml +++ b/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml @@ -21,7 +21,7 @@ detection: cs-method: - GET - OPTIONS - #Success only + # Success only sc-status: - 200 - 301 diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index 2f21f5ad3..2368b6b5c 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -70,8 +70,8 @@ detection: - 'PSWTool' - 'PWCrack' - 'PWDump' - #- 'PWS.' - #- 'PWSX' + # - 'PWS.' + # - 'PWSX' - 'Ransom' # - 'Razy' - 'Rozena' diff --git a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml index 6aa18e786..fd4c7c082 100644 --- a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml @@ -20,5 +20,5 @@ detection: condition: selection falsepositives: - Unknown -#Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview +# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview level: low diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 3512d0800..966e3e695 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -23,8 +23,8 @@ detection: EventID: 18456 filter_main_local_ips: Data|contains: - - 'CLIENT: 10.' #filter_range_IP: 10.0.0.0/8 - - 'CLIENT: 172.16.' #filter_range_IP: 172.16.0.0/12 + - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8 + - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12 - 'CLIENT: 172.17.' - 'CLIENT: 172.18.' - 'CLIENT: 172.19.' @@ -40,9 +40,9 @@ detection: - 'CLIENT: 172.29.' - 'CLIENT: 172.30.' - 'CLIENT: 172.31.' - - 'CLIENT: 192.168.' #filter_range_IP: 192.168.0.0/16 - - 'CLIENT: 127.' #filter_loop_back: 127.0.0.0/8 - - 'CLIENT: 169.254.' #fileter_link-local_addressing: 169.254.0.0/16 + - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16 + - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8 + - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16 condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index fd9bbd1f1..6cdfef035 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -14,7 +14,7 @@ logsource: service: appxdeployment-server detection: selection: - EventID: + EventID: - 441 - 442 - 453 diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml index 761639b88..66080d0a0 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -44,9 +44,9 @@ detection: - 'https://9' filter_optional_local_networks: RemoteName|contains: - - '://10.' #10.0.0.0/8 - - '://192.168.' #192.168.0.0/16 - - '://172.16.' #172.16.0.0/12 + - '://10.' # 10.0.0.0/8 + - '://192.168.' # 192.168.0.0/16 + - '://172.16.' # 172.16.0.0/12 - '://172.17.' - '://172.18.' - '://172.19.' @@ -62,8 +62,8 @@ detection: - '://172.29.' - '://172.30.' - '://172.31.' - - '://127.' #127.0.0.0/8 - - '://169.254.' #169.254.0.0/16 + - '://127.' # 127.0.0.0/8 + - '://169.254.' # 169.254.0.0/16 filter_optional_seven_zip: RemoteName|contains: # For https://7-zip.org/ diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 906adde5f..41af7402c 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -22,15 +22,15 @@ detection: Action: 2 filter_main_installations: - ApplicationPath|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' - ModifyingApplication|startswith: 'C:\Windows\WinSxS\' # TiWorker.exe - ModifyingApplication: - - 'C:\Windows\System32\oobe\Setup.exe' - - 'C:\Windows\SysWOW64\msiexec.exe' - - 'C:\Windows\System32\svchost.exe' - - 'C:\Windows\System32\dllhost.exe' - - 'C:\Program Files\Windows Defender\MsMpEng.exe' + - 'C:\Windows\System32\oobe\Setup.exe' + - 'C:\Windows\SysWOW64\msiexec.exe' + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\dllhost.exe' + - 'C:\Program Files\Windows Defender\MsMpEng.exe' filter_optional_msmpeng: ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' ModifyingApplication|endswith: '\MsMpEng.exe' diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index edb5a2c95..d77d9b053 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -33,9 +33,9 @@ detection: filter_ipv6: - IpAddress: '::1' # IPv6 loopback - IpAddress|startswith: - - 'fe80:' # link-local address - - 'fc' # private address range fc00::/7 - - 'fd' # private address range fc00::/7 + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 filter_empty: IpAddress: '-' condition: selection and not 1 of filter_* diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index 4f1324f66..fc2200c38 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -33,9 +33,9 @@ detection: filter_ipv6: - IpAddress: '::1' # IPv6 loopback - IpAddress|startswith: - - 'fe80:' # link-local address - - 'fc' # private address range fc00::/7 - - 'fd' # private address range fc00::/7 + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 filter_empty: IpAddress: '-' condition: selection and not 1 of filter_* diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index 1269d061f..fbe6072f9 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -21,9 +21,9 @@ detection: IpAddress|contains: '-' filter_ip_privatev4: IpAddress|startswith: - - '10.' #10.0.0.0/8 - - '192.168.' #192.168.0.0/16 - - '172.16.' #172.16.0.0/12 + - '10.' # 10.0.0.0/8 + - '192.168.' # 192.168.0.0/16 + - '172.16.' # 172.16.0.0/12 - '172.17.' - '172.18.' - '172.19.' @@ -39,13 +39,13 @@ detection: - '172.29.' - '172.30.' - '172.31.' - - '127.' #127.0.0.0/8 - - '169.254.' #169.254.0.0/16 + - '127.' # 127.0.0.0/8 + - '169.254.' # 169.254.0.0/16 filter_ip_privatev6: - - IpAddress: '::1' #loopback + - IpAddress: '::1' # loopback - IpAddress|startswith: - - 'fe80::' #link-local - - 'fc00::' #unique local + - 'fe80::' # link-local + - 'fc00::' # unique local condition: selection and not 1 of filter_* falsepositives: - Legitimate logon attempts over the internet diff --git a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml index ee7bf0bcf..69a5295e1 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml @@ -20,7 +20,7 @@ detection: LogonType: 3 TargetUserName: 'ANONYMOUS LOGON' WorkstationName: '-' - IpAddress: + IpAddress: - '127.0.0.1' - '::1' condition: selection diff --git a/rules/windows/builtin/security/win_security_account_discovery.yml b/rules/windows/builtin/security/win_security_account_discovery.yml index 873bd9cc5..7aae6093f 100644 --- a/rules/windows/builtin/security/win_security_account_discovery.yml +++ b/rules/windows/builtin/security/win_security_account_discovery.yml @@ -22,15 +22,15 @@ detection: - 'SAM_GROUP' selection_object: - ObjectName|endswith: - - '-512' - - '-502' - - '-500' - - '-505' - - '-519' - - '-520' - - '-544' - - '-551' - - '-555' + - '-512' + - '-502' + - '-500' + - '-505' + - '-519' + - '-520' + - '-544' + - '-551' + - '-555' - ObjectName|contains: 'admin' filter: SubjectUserName|endswith: '$' diff --git a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml index 4b60dabbd..b874721de 100644 --- a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml @@ -25,7 +25,7 @@ detection: - '89e95b76-444d-4c62-991a-0facbeda640c' filter: - SubjectUserName|endswith: '$' - - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account + - SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml index 545cf5d19..2286217e9 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/11/27 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml index 2a89ba3d4..53a723781 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 25) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index fcbca81f2..601cd0d93 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml index 620e6419a..9e563fe6b 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml index 559c33fde..2a4d21b38 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml index 183e93fa9..5141c4d91 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml index b8ece38b1..25c235df6 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task29) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml index 6f282de51..2353469ec 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml index dce06c8f3..0b1742b9a 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task30) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index e1a876949..df5f64e2f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/11/29 diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 72343baff..7d5d4c40a 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -25,27 +25,27 @@ detection: selection: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - ServiceFileName|contains|all: - - 'cmd' - - '/c' - - 'echo' - - '\pipe\' + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - ServiceFileName|contains|all: - - '%COMSPEC%' - - '/c' - - 'echo' - - '\pipe\' + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - ServiceFileName|contains|all: - - 'cmd.exe' - - '/c' - - 'echo' - - '\pipe\' + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - ServiceFileName|contains|all: - - 'rundll32' - - '.dll,a' - - '/p:' + - 'rundll32' + - '.dll,a' + - '/p:' condition: selection_id and selection fields: - ComputerName diff --git a/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml b/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml index 17735a91d..32e1d3cce 100644 --- a/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml +++ b/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml @@ -19,7 +19,7 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'ServicesActive' AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs - #Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816 + # Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816 filter: SubjectLogonId: '0x3e4' condition: selection and not filter diff --git a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml index d5d019a1c..8ea9b2b32 100644 --- a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml @@ -27,10 +27,10 @@ detection: - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' - 'C:\Program Files\Mozilla Firefox\firefox.exe' - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe' - #filter_browsers: - #Application|endswith: - # - '\opera.exe' - # - '\tomcat\bin\tomcat8.exe' + # filter_browsers: + # Application|endswith: + # - '\opera.exe' + # - '\tomcat\bin\tomcat8.exe' condition: selection and not 1 of filter_* falsepositives: - Web Browsers diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index 224a6c4f1..e53c65d65 100644 --- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -21,13 +21,13 @@ detection: AttributeLDAPDisplayName: 'msDS-KeyCredentialLink' # If you experience a lot of FP you could uncomment the selection below # There could be other cases for other tooling add them accordingly - #AttributeValue|contains: 'B:828' - #OperationType: '%%14674' # Value Added + # AttributeValue|contains: 'B:828' + # OperationType: '%%14674' # Value Added # As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic # Uncomment the filter below and add the account name (or any other specific field) accordingly # Don't forget to add it to the condition section below - #filter: - #SubjectUserName: "%name%" + # filter: + # SubjectUserName: "%name%" condition: selection falsepositives: - Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section) diff --git a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml index d51d8889e..f94c89253 100644 --- a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml @@ -18,7 +18,7 @@ detection: selection: EventID: 4673 Service: 'LsaRegisterLogonProcess()' - Keywords: '0x8010000000000000' #failure + Keywords: '0x8010000000000000' # failure condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index 3835102e5..be8f14ee4 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -24,7 +24,7 @@ detection: # Note: The service name and messages are localized param1: - 'Windows Defender Antivirus Service' - - 'Service antivirus Microsoft Defender' #French OS + - 'Service antivirus Microsoft Defender' # French OS param2: - 'stopped' - 'arrรชtรฉ' diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml index 01f2159d9..23e92a06c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml @@ -3,7 +3,7 @@ id: f7385ee2-0e0c-11eb-adc1-0242ac120002 status: experimental description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2023/02/20 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml index c092b6e8e..a4a076d0a 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml @@ -3,7 +3,7 @@ id: 72862bf2-0eb1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 25) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 @@ -31,8 +31,8 @@ detection: selection_other: - ImagePath|contains: 'noexit' - ImagePath|contains|all: - - 'input' - - '$' + - 'input' + - '$' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml index 7e855f6d5..4dae34d2c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml @@ -3,7 +3,7 @@ id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml index b3abda7c7..0ec20cf6b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml @@ -3,7 +3,7 @@ id: 175997c5-803c-4b08-8bb0-70b099f47595 status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml index b90936288..0ba877ee0 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml @@ -3,7 +3,7 @@ id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml index dea828065..832ce8faf 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml @@ -3,7 +3,7 @@ id: 487c7524-f892-4054-b263-8a0ace63fc25 status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml index 4914e9720..d56f13de0 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml @@ -3,7 +3,7 @@ id: 63e3365d-4824-42d8-8b82-e56810fefa0c status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task29) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml index 1af17e960..61226ef71 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml @@ -3,7 +3,7 @@ id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml index a8245d462..f55634647 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml @@ -3,7 +3,7 @@ id: 641a4bfb-c017-44f7-800c-2aee0184ce9b status: test description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task30) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml index 6f5ca82af..1dd732b0e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml @@ -3,7 +3,7 @@ id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/11/29 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 52d72e55c..650531a73 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -22,27 +22,27 @@ detection: selection: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - ImagePath|contains|all: - - 'cmd' - - '/c' - - 'echo' - - '\pipe\' + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - ImagePath|contains|all: - - '%COMSPEC%' - - '/c' - - 'echo' - - '\pipe\' + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - ImagePath|contains|all: - - 'cmd.exe' - - '/c' - - 'echo' - - '\pipe\' + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - ImagePath|contains|all: - - 'rundll32' - - '.dll,a' - - '/p:' + - 'rundll32' + - '.dll,a' + - '/p:' - ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en condition: selection_id and selection fields: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml index cd5631121..235d7bbf7 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml @@ -21,8 +21,8 @@ detection: selection_service: - ImagePath|contains: 'PDQDeployService.exe' - ServiceName: - - 'PDQDeploy' - - 'PDQ Deploy' + - 'PDQDeploy' + - 'PDQ Deploy' condition: all of selection_* falsepositives: - Legitimate use of the tool diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml index 5a0135f30..5df7a75d6 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml @@ -25,8 +25,8 @@ detection: EventID: 7045 selection_service: - ImagePath|contains|all: - - '\rutserv.exe' - - '-service' + - '\rutserv.exe' + - '-service' - ServiceName: 'Remote Utilities - Host' condition: all of selection_* falsepositives: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index 1724ebe35..f1b8f27f9 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -20,23 +20,23 @@ detection: EventID: 7023 # The X Service service terminated with the following error selection_name: - param1|contains: - # Note that these names are "Display Names" and are language specific. If you're using a non-english system these can and will be different - - ' Antivirus' - - ' Firewall' - - 'Application Guard' - - 'BitLocker Drive Encryption Service' - - 'Encrypting File System' - - 'Microsoft Defender' - - 'Threat Protection' - - 'Windows Event Log' + # Note that these names are "Display Names" and are language specific. If you're using a non-english system these can and will be different + - ' Antivirus' + - ' Firewall' + - 'Application Guard' + - 'BitLocker Drive Encryption Service' + - 'Encrypting File System' + - 'Microsoft Defender' + - 'Threat Protection' + - 'Windows Event Log' # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name. - Binary|contains: - - '770069006e0064006500660065006e006400' # windefend (Microsoft Defender Antivirus Service) - - '4500760065006e0074004c006f006700' # EventLog - - '6d0070007300730076006300' # mpssvc (Windows Defender Firewall) - - '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service) - - '450046005300' # EFS (Encrypting File System) - - '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service) + - '770069006e0064006500660065006e006400' # windefend (Microsoft Defender Antivirus Service) + - '4500760065006e0074004c006f006700' # EventLog + - '6d0070007300730076006300' # mpssvc (Windows Defender Firewall) + - '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service) + - '450046005300' # EFS (Encrypting File System) + - '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service) condition: all of selection_* falsepositives: - Rare false positives could occur since service termination could happen due to multiple reasons diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index 0c5a1411b..f52e2a9d0 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -20,8 +20,8 @@ detection: - param1|contains: 'Message Queuing' # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name. - Binary|contains: - - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case - - '6d0073006d007100' # msmq + - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case + - '6d0073006d007100' # msmq condition: all of selection_* falsepositives: - Rare false positives could occur since service termination could happen due to multiple reasons diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 19e87a732..277a5e941 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -25,9 +25,9 @@ detection: - '\Users\Public\' - 'C:\Temp\' # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it - #filter: - # TaskName: '\Exact\Task\Name' - # Path: 'Exact\Path' + # filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index 9522bd9ea..c803159f7 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -24,12 +24,12 @@ detection: - '\mspaint.exe' - '\notepad.exe' - '\regsvr32.exe' - #- '\rundll32.exe' + # - '\rundll32.exe' - '\wscript.exe' - #filter_system: - # Path|endswith: '\rundll32.exe' - # TaskName|startswith: '\Microsoft\Windows\' - #condition: selection and not 1 of filter_* + # filter_system: + # Path|endswith: '\rundll32.exe' + # TaskName|startswith: '\Microsoft\Windows\' + # condition: selection and not 1 of filter_* condition: selection falsepositives: - False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 2c73b254c..30db91d39 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -24,7 +24,7 @@ detection: NewValue|contains: # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware ' - #- '\Windows Defender\Features\TamperProtection ' # Might produce FP + # - '\Windows Defender\Features\TamperProtection ' # Might produce FP - '\Windows Defender\Scan\DisableRemovableDriveScanning ' - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' diff --git a/rules/windows/builtin/wmi/win_wmi_persistence.yml b/rules/windows/builtin/wmi/win_wmi_persistence.yml index 70ab63098..50d6f96cb 100644 --- a/rules/windows/builtin/wmi/win_wmi_persistence.yml +++ b/rules/windows/builtin/wmi/win_wmi_persistence.yml @@ -14,7 +14,7 @@ tags: - attack.t1546.003 logsource: product: windows - service: wmi #native windows detection + service: wmi definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher' detection: wmi_filter_to_consumer_binding: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 65dbceed5..eeaa4d2b2 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -93,11 +93,11 @@ detection: filter_optional_nvidia: SourceImage: 'C:\Windows\explorer.exe' TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' - #filter_optional_powerpnt: - # # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 - # SourceImage|contains: '\Microsoft Office\' - # SourceImage|endswith: '\POWERPNT.EXE' - # TargetImage: 'C:\Windows\System32\csrss.exe' + # filter_optional_powerpnt: + # # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 + # SourceImage|contains: '\Microsoft Office\' + # SourceImage|endswith: '\POWERPNT.EXE' + # TargetImage: 'C:\Windows\System32\csrss.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index abf732b72..001a51f46 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -53,8 +53,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index 03e8b5f7b..da0f50745 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -18,193 +18,193 @@ logsource: detection: selection: - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz - - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller - - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - - 96df3a3731912449521f6f8d183279b1 # Backstab - - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab - - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz + - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller + - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller + - 96df3a3731912449521f6f8d183279b1 # Backstab + - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab + - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab - Hash|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller - - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab condition: selection fields: - TargetFilename diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 15230ec48..ac8617682 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -94,8 +94,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' @@ -107,8 +107,8 @@ detection: Image|endswith: '\safari.exe' filter_optional_defender: Image|endswith: - - '\MsMpEng.exe' #Microsoft Defender executable - - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable + - '\MsMpEng.exe' # Microsoft Defender executable + - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable filter_optional_brave: Image|endswith: '\brave.exe' Image|startswith: 'C:\Program Files\BraveSoftware\' diff --git a/rules/windows/dns_query/dns_query_win_susp_ipify.yml b/rules/windows/dns_query/dns_query_win_susp_ipify.yml index 2968cfc75..c282c651e 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ipify.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ipify.yml @@ -69,8 +69,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index 336c599f4..3f46d363b 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -18,12 +18,12 @@ detection: ImageLoaded|endswith: '\HEVD.sys' selection_sysmon: Hashes|contains: - - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0 - - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0 + - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 + - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 selection_other: Imphash: - - 'f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0 - - 'c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0 + - 'f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 + - 'c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 condition: 1 of selection* falsepositives: - Unlikely diff --git a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml index ab4564ce5..2104cca22 100644 --- a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml @@ -26,13 +26,13 @@ detection: CreationUtcTime|startswith: '202' gen_filter_updates: - Image: - - 'C:\Windows\system32\ProvTool.exe' - - 'C:\Windows\System32\usocoreworker.exe' - - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - 'C:\Windows\system32\ProvTool.exe' + - 'C:\Windows\System32\usocoreworker.exe' + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\' - TargetFilename|endswith: - - '.tmp' - - '.temp' + - '.tmp' + - '.temp' gen_filter_tiworker: Image|startswith: 'C:\WINDOWS\' Image|endswith: '\TiWorker.exe' diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 674f9e2a2..83cdb14e7 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -27,12 +27,12 @@ logsource: detection: selection: - TargetFilename: - - 'C:\Windows\System32\WLBSCTRL.dll' - - 'C:\Windows\System32\TSMSISrv.dll' - - 'C:\Windows\System32\TSVIPSrv.dll' - - 'C:\Windows\System32\wow64log.dll' - - 'C:\Windows\System32\WptsExtensions.dll' - - 'C:\Windows\System32\wbem\wbemcomn.dll' + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' + - 'C:\Windows\System32\WptsExtensions.dll' + - 'C:\Windows\System32\wbem\wbemcomn.dll' - TargetFilename|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index de54c089e..eaeb077ec 100755 --- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -20,32 +20,32 @@ logsource: detection: selection: - TargetFilename|contains: - - '\fgdump-log' - - '\kirbi' - - '\pwdump' - - '\pwhashes' - - '\wce_ccache' - - '\wce_krbtkts' + - '\fgdump-log' + - '\kirbi' + - '\pwdump' + - '\pwhashes' + - '\wce_ccache' + - '\wce_krbtkts' - TargetFilename|endswith: - - '\cachedump.exe' - - '\cachedump64.exe' - - '\DumpExt.dll' - - '\DumpSvc.exe' - - '\Dumpy.exe' - - '\fgexec.exe' - - '\lsremora.dll' - - '\lsremora64.dll' - - '\NTDS.out' - - '\procdump64.exe' - - '\pstgdump.exe' - - '\pwdump.exe' - - '\SAM.out' - - '\SECURITY.out' - - '\servpw.exe' - - '\servpw64.exe' - - '\SYSTEM.out' - - '\test.pwd' - - '\wceaux.dll' + - '\cachedump.exe' + - '\cachedump64.exe' + - '\DumpExt.dll' + - '\DumpSvc.exe' + - '\Dumpy.exe' + - '\fgexec.exe' + - '\lsremora.dll' + - '\lsremora64.dll' + - '\NTDS.out' + - '\procdump64.exe' + - '\pstgdump.exe' + - '\pwdump.exe' + - '\SAM.out' + - '\SECURITY.out' + - '\servpw.exe' + - '\servpw64.exe' + - '\SYSTEM.out' + - '\test.pwd' + - '\wceaux.dll' condition: selection falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml index 7fc13d8a6..a709f5aac 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml @@ -20,12 +20,12 @@ logsource: detection: selection: - TargetFilename|contains: - - '\hive_sam_' # Go version - - '\SAM-2021-' # C++ version - - '\SAM-2022-' # C++ version - - '\SAM-2023-' # C++ version - - '\SAM-haxx' # Early C++ versions - - '\Sam.save' # PowerShell version + - '\hive_sam_' # Go version + - '\SAM-2021-' # C++ version + - '\SAM-2022-' # C++ version + - '\SAM-2023-' # C++ version + - '\SAM-haxx' # Early C++ versions + - '\Sam.save' # PowerShell version - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection falsepositives: diff --git a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml index 9207cef31..544b2bb6f 100644 --- a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml @@ -20,7 +20,7 @@ logsource: detection: selection: Image|endswith: - # add more processes when you find them + # add more processes when you find them - '\winword.exe' - '\excel.exe' - '\powerpnt.exe' @@ -40,7 +40,7 @@ detection: - '\Users\' - '\AppData\' TargetFilename|contains: - # add more suspicious paths when you find them + # add more suspicious paths when you find them - '\Microsoft\OneDrive\' - '\Microsoft OneDrive\' - '\Microsoft\Teams\' diff --git a/rules/windows/file/file_event/file_event_win_mal_adwind.yml b/rules/windows/file/file_event/file_event_win_mal_adwind.yml index bc0e4c945..ef9c47fe1 100644 --- a/rules/windows/file/file_event/file_event_win_mal_adwind.yml +++ b/rules/windows/file/file_event/file_event_win_mal_adwind.yml @@ -1,4 +1,4 @@ -title: Adwind RAT / JRAT File Artifact +title: Adwind RAT / JRAT File Artifact id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 related: - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 @@ -21,10 +21,10 @@ logsource: detection: selection: - TargetFilename|contains|all: - - '\AppData\Roaming\Oracle\bin\java' - - '.exe' + - '\AppData\Roaming\Oracle\bin\java' + - '.exe' - TargetFilename|contains|all: - - '\Retrive' - - '.vbs' + - '\Retrive' + - '.vbs' condition: selection level: high diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 02c8d157a..30ea4582d 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -40,19 +40,19 @@ detection: - '\whale.exe' selection_ext: - TargetFilename|endswith: - - '.docm' - - '.dotm' - - '.xlsm' - - '.xltm' - - '.potm' - - '.pptm' + - '.docm' + - '.dotm' + - '.xlsm' + - '.xltm' + - '.potm' + - '.pptm' - TargetFilename|contains: - - '.docm:Zone' - - '.dotm:Zone' - - '.xlsm:Zone' - - '.xltm:Zone' - - '.potm:Zone' - - '.pptm:Zone' + - '.docm:Zone' + - '.dotm:Zone' + - '.xlsm:Zone' + - '.xltm:Zone' + - '.potm:Zone' + - '.pptm:Zone' condition: all of selection_* falsepositives: - Legitimate macro files downloaded from the internet diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index e256ad938..5c1c138c9 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -18,18 +18,18 @@ logsource: detection: selection_cmd: - Image|endswith: - - '\cscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 - ParentImage|endswith: - - '\cscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' selection_ext: TargetFilename|endswith: - '.docm' diff --git a/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml index f05dbb524..8d413962b 100644 --- a/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml @@ -18,9 +18,9 @@ detection: selection_word_paths: - TargetFilename|contains: '\Microsoft\Word\STARTUP' - TargetFilename|contains|all: - - '\Office' - - '\Program Files' - - '\STARTUP' + - '\Office' + - '\Program Files' + - '\STARTUP' selection_word_extension: TargetFilename|endswith: - '.doc' @@ -32,9 +32,9 @@ detection: selection_excel_paths: - TargetFilename|contains: '\Microsoft\Excel\XLSTART' - TargetFilename|contains|all: - - '\Office' - - '\Program Files' - - '\XLSTART' + - '\Office' + - '\Program Files' + - '\XLSTART' selection_excel_extension: TargetFilename|endswith: - '.xls' diff --git a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index 816a00e88..071b27617 100644 --- a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -15,7 +15,7 @@ logsource: product: windows category: file_event detection: - #useful_information: Please add more file extensions to the logic of your choice. + # Note: Please add more file extensions to the logic of your choice. selection1: Image|endswith: - '\excel.exe' diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml index 81a19fd6d..f94bc1b63 100644 --- a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -20,9 +20,9 @@ detection: selection_word_paths: - TargetFilename|contains: '\Microsoft\Word\STARTUP' - TargetFilename|contains|all: - - '\Office' - - '\Program Files' - - '\STARTUP' + - '\Office' + - '\Program Files' + - '\STARTUP' filter_exclude_word_ext: TargetFilename|endswith: - '.docb' # Word binary document introduced in Microsoft Office 2007 @@ -35,9 +35,9 @@ detection: selection_excel_paths: - TargetFilename|contains: '\Microsoft\Excel\XLSTART' - TargetFilename|contains|all: - - '\Office' - - '\Program Files' - - '\XLSTART' + - '\Office' + - '\Program Files' + - '\XLSTART' filter_exclude_excel_ext: TargetFilename|endswith: - '.xls' diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml index 52025168e..f65d30540 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - TargetFilename|contains: '\Bin\ScreenConnect.' #pattern to dll and jar file + TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index 54daa898c..b06fbaabf 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -20,26 +20,26 @@ logsource: detection: selection: - TargetFilename|endswith: - - '\Temp\sam' - - '\sam.sav' - - '\Intel\sam' - - '\sam.hive' - - '\Perflogs\sam' - - '\ProgramData\sam' - - '\Users\Public\sam' - - '\AppData\Local\sam' - - '\AppData\Roaming\sam' - - '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal - - '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/ - - ':\sam' + - '\Temp\sam' + - '\sam.sav' + - '\Intel\sam' + - '\sam.hive' + - '\Perflogs\sam' + - '\ProgramData\sam' + - '\Users\Public\sam' + - '\AppData\Local\sam' + - '\AppData\Roaming\sam' + - '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal + - '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/ + - ':\sam' - TargetFilename|contains: - - '\hive_sam_' # https://github.com/FireFart/hivenightmare - - '\sam.save' - - '\sam.export' - - '\~reg_sam.save' - - '\sam_backup' - - '\sam.bck' - - '\sam.backup' + - '\hive_sam_' # https://github.com/FireFart/hivenightmare + - '\sam.save' + - '\sam.export' + - '\~reg_sam.save' + - '\sam_backup' + - '\sam.bck' + - '\sam.backup' condition: selection falsepositives: - Rare cases of administrative activity diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index ccd80c664..2abc355ad 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -32,7 +32,7 @@ detection: - '\certutil.exe' - '\forfiles.exe' - '\mshta.exe' - #- '\rundll32.exe' # Potential FP + # - '\rundll32.exe' # Potential FP - '\schtasks.exe' - '\scriptrunner.exe' - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index 6c19d41c0..ff9482d3a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -27,7 +27,7 @@ detection: TargetFilename|endswith: - '.exe' - '.iso' - #- '.lnk' # legitimate links can happen just anywhere + # - '.lnk' # legitimate links can happen just anywhere - '.rar' - '.zip' TargetFilename|contains: @@ -44,10 +44,10 @@ detection: - '.rar.exe' - '.zip.exe' # Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations - #filter_main_lnk: - # TargetFilename|contains: - # - '\AppData\Roaming\Microsoft\Office\Recent\' - # - '\AppData\Roaming\Microsoft\Windows\Recent\' + # filter_main_lnk: + # TargetFilename|contains: + # - '\AppData\Roaming\Microsoft\Office\Recent\' + # - '\AppData\Roaming\Microsoft\Windows\Recent\' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml index 4967d75c7..46d207875 100644 --- a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -14,7 +14,7 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 - #- attack.t1036.008 + # - attack.t1036.008 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index 69ea85f54..ae9c0297b 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -24,10 +24,10 @@ detection: - '\certutil.exe' - '\certoc.exe' - '\CertReq.exe' - #- \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - '\Desktopimgdownldr.exe' - '\esentutl.exe' - #- \expand.exe + # - \expand.exe - '\mshta.exe' # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - '\AcroRd32.exe' diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index 95a791490..e271d35b5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -24,10 +24,10 @@ detection: - \certutil.exe - \certoc.exe - \CertReq.exe - #- \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - \Desktopimgdownldr.exe - \esentutl.exe - #- \expand.exe + # - \expand.exe - '\mshta.exe' # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - '\AcroRd32.exe' diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 687d2721a..9d7dddc17 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -18,13 +18,13 @@ logsource: detection: selection: - Image|contains: - - ':\RECYCLERS.BIN\' - - ':\RECYCLER.BIN\' - - ':\RECYCLE.BIN\' + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' - TargetFilename|contains: - - ':\RECYCLERS.BIN\' - - ':\RECYCLER.BIN\' - - ':\RECYCLE.BIN\' + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml index 78cd880a6..37bf4288b 100755 --- a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml @@ -30,13 +30,13 @@ detection: - '\html\' selection_htdocs_ext: TargetFilename|contains: '.ph' - #selection_tomcat_path: - # TargetFilename|contains: '\webapps\ROOT' - #selection_tomcat_ext: - # TargetFilename|contains: - # - '.jsp' # .jspx, .jspf - # - '.jsv' - # - '.jsw' + # selection_tomcat_path: + # TargetFilename|contains: '\webapps\ROOT' + # selection_tomcat_ext: + # TargetFilename|contains: + # - '.jsp' # .jspx, .jspf + # - '.jsv' + # - '.jsw' filter_main_temp: # FP when unpacking some executables in $TEMP TargetFilename|contains: - '\AppData\Local\Temp\' diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml index 698d16a94..2d3b6edcc 100644 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -20,11 +20,11 @@ detection: TargetFilename|endswith: '.dll' filter_from_dll: - SourceFilename|endswith: - - '.dll' - - '.tmp' # VSCode FP + - '.dll' + - '.tmp' # VSCode FP - SourceFilename|contains: - - '.dll.' - - '\SquirrelTemp\temp' + - '.dll.' + - '\SquirrelTemp\temp' filter_empty_source: SourceFilename: '' filter_non_existing_source: diff --git a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml index 0b7020f83..6f55aa71c 100644 --- a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml @@ -24,7 +24,7 @@ detection: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' Image|endswith: '\BackgroundTaskHost.exe' - #CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider' + # CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider' filter_optional_devenv: Image|startswith: - 'C:\Program Files\Microsoft Visual Studio\' @@ -38,8 +38,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml index e3121bd56..9934ec077 100644 --- a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml +++ b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml @@ -20,11 +20,11 @@ logsource: detection: selection: - ImageLoaded|endswith: - - '\credui.dll' - - '\wincredui.dll' + - '\credui.dll' + - '\wincredui.dll' - OriginalFileName: - - 'credui.dll' - - 'wincredui.dll' + - 'credui.dll' + - 'wincredui.dll' filter_main_generic: Image|startswith: - 'C:\Program Files (x86)\' diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index 18e6210ad..6852243b2 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -24,8 +24,8 @@ detection: - Description: 'System.Management.Automation' - OriginalFileName: 'System.Management.Automation.dll' - ImageLoaded|endswith: - - '\System.Management.Automation.dll' - - '\System.Management.Automation.ni.dll' + - '\System.Management.Automation.dll' + - '\System.Management.Automation.ni.dll' filter_main_generic: Image|endswith: - ':\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7 @@ -69,7 +69,7 @@ detection: Image|endswith: - '\thor64.exe' - '\thor.exe' - #User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM + # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM filter_optional_aurora: # This filter is to avoid a race condition FP with this specific ETW provider in aurora Image: null diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 6c1f50ee8..52bf4d102 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -24,13 +24,13 @@ detection: ImageLoaded|endswith: '\vssapi.dll' filter_windows: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - 'C:\Windows\explorer.exe' + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\Temp\{' # Installers - - 'C:\Windows\WinSxS\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\Temp\{' # Installers + - 'C:\Windows\WinSxS\' filter_program_files: # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index 798d3de38..b8e409e86 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -24,13 +24,13 @@ detection: ImageLoaded|endswith: '\vsstrace.dll' filter_windows: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - 'C:\Windows\explorer.exe' + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\Temp\{' # Installers - - 'C:\Windows\WinSxS\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\Temp\{' # Installers + - 'C:\Windows\WinSxS\' filter_program_files: # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml index 4546a4b9d..2c627a998 100644 --- a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -30,17 +30,17 @@ detection: - '\Windows\Temp\' selection_folders_2: - ImageLoaded|contains|all: - - ':\Users\' - - '\Favorites\' + - ':\Users\' + - '\Favorites\' - ImageLoaded|contains|all: - - ':\Users\' - - '\Favourites\' + - ':\Users\' + - '\Favourites\' - ImageLoaded|contains|all: - - ':\Users\' - - '\Contacts\' + - ':\Users\' + - '\Contacts\' - ImageLoaded|contains|all: - - ':\Users\' - - '\Pictures\' + - ':\Users\' + - '\Pictures\' condition: selection_dll and 1 of selection_folders_* falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index 2523ed902..3b2313a4e 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -19,8 +19,8 @@ detection: ImageLoaded|endswith: '\ShellDispatch.dll' filter_main_legit_path: - ImageLoaded|contains|all: - - ':\Users\' - - '\AppData\Local\Temp\' + - ':\Users\' + - '\AppData\Local\Temp\' - ImageLoaded|contains: ':\Windows\Temp\' condition: selection and not 1 of filter_main_* falsepositives: diff --git a/rules/windows/image_load/image_load_side_load_third_party.yml b/rules/windows/image_load/image_load_side_load_third_party.yml index 34b379141..9ab4d20ec 100644 --- a/rules/windows/image_load/image_load_side_load_third_party.yml +++ b/rules/windows/image_load/image_load_side_load_third_party.yml @@ -22,8 +22,8 @@ detection: filter_lenovo: - ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\' - ImageLoaded|startswith: - - 'C:\Program Files\Lenovo\Communications Utility\' - - 'C:\Program Files (x86)\Lenovo\Communications Utility\' + - 'C:\Program Files\Lenovo\Communications Utility\' + - 'C:\Program Files (x86)\Lenovo\Communications Utility\' # Toshiba selection_toshiba: ImageLoaded|endswith: '\tosbtkbd.dll' @@ -32,11 +32,11 @@ detection: - 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\' - 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\' # Zoom (FP with System32) - #selection_zoom: - # ImageLoaded|endswith: '\version.dll' - #filter_zoom: - # ImageLoaded|startswith: 'C:\Users\' - # ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\' + # selection_zoom: + # ImageLoaded|endswith: '\version.dll' + # filter_zoom: + # ImageLoaded|startswith: 'C:\Users\' + # ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\' condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba) falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index ac7b39921..cdd7b1a0e 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -1,7 +1,7 @@ title: Potential WWlib.DLL Sideloading id: e2e01011-5910-4267-9c3b-4149ed5479cf status: experimental -description: Detects potential DLL sideloading of "wwlib.dll" +description: Detects potential DLL sideloading of "wwlib.dll" references: - https://twitter.com/WhichbufferArda/status/1658829954182774784 - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 36b9dafb6..df60f3ac0 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -20,9 +20,9 @@ detection: filter_main_generic: - Image|contains: 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment filter_optional_aurora: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index 8edcc33ef..8b160f44b 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -25,7 +25,7 @@ detection: - '\mshta.exe' - '\msxsl.exe' - '\regsvr32.exe' - #- '\svchost.exe' + # - '\svchost.exe' - '\wmic.exe' - '\wscript.exe' ImageLoaded|endswith: diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 40889cb28..ed9c37e9e 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -21,13 +21,13 @@ logsource: detection: request_client: - ImageLoaded|endswith: - - '\WsmSvc.dll' - - '\WsmAuto.dll' - - '\Microsoft.WSMan.Management.ni.dll' + - '\WsmSvc.dll' + - '\WsmAuto.dll' + - '\Microsoft.WSMan.Management.ni.dll' - OriginalFileName: - - 'WsmSvc.dll' - - 'WSMANAUTOMATION.DLL' - - 'Microsoft.WSMan.Management.dll' + - 'WsmSvc.dll' + - 'WSMANAUTOMATION.DLL' + - 'Microsoft.WSMan.Management.dll' respond_server: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' @@ -42,7 +42,7 @@ detection: - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc' - 'svchost.exe -k NetworkService -p -s Wecsvc' - 'svchost.exe -k netsvcs' - filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe + filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Image|startswith: - 'C:\Windows\Microsoft.NET\Framework64\v' - 'C:\Windows\Microsoft.NET\Framework\v' diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index f48e71f78..dafc0b988 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -23,10 +23,10 @@ logsource: detection: selection_paths: - Image|startswith: - - 'C:\PerfLogs' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Windows\' + - 'C:\PerfLogs' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Windows\' - Image|contains: '\AppData\Temp\' selection_domains: Initiated: 'true' diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml index c82d57401..843e8a8ae 100644 --- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml @@ -86,8 +86,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_main_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' @@ -99,10 +99,10 @@ detection: Image|endswith: '\safari.exe' filter_main_defender: Image|endswith: - - '\MsMpEng.exe' #Microsoft Defender executable - - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable + - '\MsMpEng.exe' # Microsoft Defender executable + - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable filter_main_prtg: - #Paessler's PRTG Network Monitor + # Paessler's PRTG Network Monitor Image|endswith: - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe' - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe' @@ -194,13 +194,13 @@ detection: Image|endswith: 'GoogleDriveFS.exe' DestinationHostname|endswith: 'drive.google.com' filter_main_discord: - Image|contains: '\AppData\Local\Discord\' - Image|endswith: '\Discord.exe' - DestinationHostname|endswith: - - 'discord.com' - - 'cdn.discordapp.com' - #filter_optional_qlik: - # Image|endswith: '\Engine.exe' #Process from qlik.com app + Image|contains: '\AppData\Local\Discord\' + Image|endswith: '\Discord.exe' + DestinationHostname|endswith: + - 'discord.com' + - 'cdn.discordapp.com' + # filter_optional_qlik: + # Image|endswith: '\Engine.exe' # Process from qlik.com app condition: selection and not 1 of filter_main_* falsepositives: - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. diff --git a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml index 15a5fe111..a87886fd5 100644 --- a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml @@ -47,8 +47,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml index 8bf04271a..3850deadd 100644 --- a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml +++ b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml @@ -38,8 +38,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_main_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml index 9340c6090..9000832e2 100644 --- a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml @@ -10,8 +10,8 @@ tags: - attack.defense_evasion - attack.command_and_control logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: selection: Image|endswith: diff --git a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml index 113a9a9c0..d35116b2f 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml @@ -36,21 +36,21 @@ detection: filter_optional_chrome: Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe' filter_optional_third_party: - - '\FSAssessment.exe' - - '\FSDiscovery.exe' - - '\MobaRTE.exe' - - '\mRemote.exe' - - '\mRemoteNG.exe' - - '\Passwordstate.exe' - - '\RemoteDesktopManager.exe' - - '\RemoteDesktopManager64.exe' - - '\RemoteDesktopManagerFree.exe' - - '\RSSensor.exe' - - '\RTS2App.exe' - - '\RTSApp.exe' - - '\spiceworks-finder.exe' - - '\Terminals.exe' - - '\ws_TunnelService.exe' + - '\FSAssessment.exe' + - '\FSDiscovery.exe' + - '\MobaRTE.exe' + - '\mRemote.exe' + - '\mRemoteNG.exe' + - '\Passwordstate.exe' + - '\RemoteDesktopManager.exe' + - '\RemoteDesktopManager64.exe' + - '\RemoteDesktopManagerFree.exe' + - '\RSSensor.exe' + - '\RTS2App.exe' + - '\RTSApp.exe' + - '\spiceworks-finder.exe' + - '\Terminals.exe' + - '\ws_TunnelService.exe' filter_optional_thor: Image|endswith: - '\thor.exe' diff --git a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml index 11ecc7bab..14fe0fb50 100644 --- a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml @@ -40,8 +40,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index 576cd1538..059fcffa8 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -23,17 +23,17 @@ detection: Initiated: 'true' # only matches of the initiating system can be evaluated filter_generic: - User|contains: # covers many language settings for Network Service. Please expand - - 'NETWORK SERVICE' - - 'NETZWERKDIENST' - - 'SERVIZIO DI RETE' - - 'SERVICIO DE RED' + - 'NETWORK SERVICE' + - 'NETZWERKDIENST' + - 'SERVIZIO DI RETE' + - 'SERVICIO DE RED' - User|contains|all: - - 'SERVICE R' - - 'SEAU' + - 'SERVICE R' + - 'SEAU' - SourceIp|startswith: '0:0:' - Image: - - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' - - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' + - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' + - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' filter_localhost: SourceIp: - '::1' diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index be7304a18..3b2d987ee 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -20,29 +20,29 @@ detection: Initiated: 'true' filter: - DestinationIp|startswith: - - '10.' - - '192.168.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' - - '20.' # Microsoft range, caused some FPs - - '51.103.' # Microsoft range, caused some FPs - - '51.104.' # Microsoft range, caused some FPs - - '51.105.' # Microsoft range, caused some FPs + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' + - '20.' # Microsoft range, caused some FPs + - '51.103.' # Microsoft range, caused some FPs + - '51.104.' # Microsoft range, caused some FPs + - '51.105.' # Microsoft range, caused some FPs - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask' - SourceHostname|endswith: '.internal.cloudapp.net' filter_update_processes: diff --git a/rules/windows/network_connection/net_connection_win_susp_epmap.yml b/rules/windows/network_connection/net_connection_win_susp_epmap.yml index 4e36ac81d..6cff1bdea 100644 --- a/rules/windows/network_connection/net_connection_win_susp_epmap.yml +++ b/rules/windows/network_connection/net_connection_win_susp_epmap.yml @@ -17,7 +17,7 @@ detection: Protocol: tcp Initiated: 'true' DestinationPort: 135 - #DestinationPortName: epmap + # DestinationPortName: epmap filter_image: Image|startswith: - C:\Windows\ diff --git a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml index 681ac22e0..c3c8d9807 100644 --- a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml @@ -73,8 +73,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index 0edf5a72d..8e74edfde 100755 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -27,10 +27,10 @@ detection: - 'C:\Windows\System32\lsass.exe' - 'C:\Program Files\Google\Chrome\Application\chrome.exe' - 'C:\Program Files\Mozilla Firefox\firefox.exe' - #filter_browsers: - #Image|endswith: - # - '\opera.exe' - # - '\tomcat\bin\tomcat8.exe' + # filter_browsers: + # Image|endswith: + # - '\opera.exe' + # - '\tomcat\bin\tomcat8.exe' condition: selection and not 1 of filter_* falsepositives: - Web Browsers diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index ad2f8d984..b344a9cf7 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -17,16 +17,16 @@ logsource: detection: selection: - Image|contains: - # - '\ProgramData\' # too many false positives, e.g. with Webex for Windows - - '\Users\All Users\' - - '\Users\Default\' - - '\Users\Public\' - - '\Users\Contacts\' - - '\Users\Searches\' - - '\config\systemprofile\' - - '\Windows\Fonts\' - - '\Windows\IME\' - - '\Windows\addins\' + # - '\ProgramData\' # too many false positives, e.g. with Webex for Windows + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\Users\Contacts\' + - '\Users\Searches\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' - Image|endswith: '\$Recycle.bin' - Image|startswith: 'C:\Perflogs\' false_positive1: diff --git a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml index 6b02bd975..c4c72a3e4 100644 --- a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml @@ -37,8 +37,8 @@ detection: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_main_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index 31747b587..7a8334821 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -24,29 +24,29 @@ logsource: detection: selection_malleable_profile_generic: - PipeName|startswith: - - '\DserNamePipe' - - '\f4c3' - - '\f53f' - - '\fullduplex_' - - '\mojo.5688.8052.183894939787088877' - - '\mojo.5688.8052.35780273329370473' - - '\MsFteWds' - - '\msrpc_' - - '\mypipe-f' - - '\mypipe-h' - - '\ntsvcs' - - '\PGMessagePipe' - - '\rpc_' - - '\scerpc' - - '\SearchTextHarvester' - - '\spoolss' - - '\win_svc' - - '\win\msrpc_' - - '\windows.update.manager' - - '\wkssvc' + - '\DserNamePipe' + - '\f4c3' + - '\f53f' + - '\fullduplex_' + - '\mojo.5688.8052.183894939787088877' + - '\mojo.5688.8052.35780273329370473' + - '\MsFteWds' + - '\msrpc_' + - '\mypipe-f' + - '\mypipe-h' + - '\ntsvcs' + - '\PGMessagePipe' + - '\rpc_' + - '\scerpc' + - '\SearchTextHarvester' + - '\spoolss' + - '\win_svc' + - '\win\msrpc_' + - '\windows.update.manager' + - '\wkssvc' - PipeName: - - '\demoagent_11' - - '\demoagent_22' + - '\demoagent_11' + - '\demoagent_22' selection_malleable_profile_catalog_change_listener: PipeName|startswith: '\Winsock2\CatalogChangeListener-' PipeName|endswith: '-0,' diff --git a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml index 8d7029c32..0dbc9a132 100644 --- a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml @@ -39,21 +39,21 @@ detection: - '\bc31a7' # Pacifier - '\bc367' # Pacifier - '\bizkaz' # Snatch Ransomware - - '\csexecsvc' #CSEXEC default - - '\dce_3d' #Qbot + - '\csexecsvc' # CSEXEC default + - '\dce_3d' # Qbot - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron - '\gruntsvc' # Covenant default - '\isapi_dg' # Uroburos Malware - '\isapi_dg2' # Uroburos Malware - '\isapi_http' # Uroburos Malware - - '\jaccdpqnvbrrxlaf' #PoshC2 default + - '\jaccdpqnvbrrxlaf' # PoshC2 default - '\lsassw' # Wild Neutron APT malware - '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves - '\pcheap_reuse' # Pipe used by Equation Group malware - - '\Posh*' #PoshC2 default + - '\Posh*' # PoshC2 default - '\rpchlp_3' # Project Sauron - '\sdlrpc' # Cobra Trojan - - '\svcctl' #Crackmapexec smbexec default + - '\svcctl' # Crackmapexec smbexec default - '\testPipe' # Emissary Panda Hyperbro - '\winsession' # Wild Neutron APT malware # - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index d3b756573..165ae4fb7 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -23,8 +23,8 @@ detection: filter: # If you extracted the fields from this event. Use the filter list described in 64e8e417-c19a-475a-8d19-98ea705394cc to filter FPs - HostApplication|startswith: - - 'powershell' - - 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' + - 'powershell' + - 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' - ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1' condition: selection and not filter falsepositives: diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index ff924519a..5b57f422d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -6,7 +6,7 @@ related: status: test description: | focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including - Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads + Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. references: - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index a5552753f..4d2beee03 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 718b1fdbd..28f64a870 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 25) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 69f17fa89..7cff26c79 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index e936128b1..e11e2faa1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index b2d88c1c3..1ec8d2507 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index 936ba777c..307a68942 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index c384b6361..c0e56b255 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task29) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 3bbf11bca..6b1cef4f7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2023/01/04 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index fbe427fd1..9c54f66e3 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -6,7 +6,7 @@ related: status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index daa6f1e59..464b4218d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -23,15 +23,15 @@ detection: - ContextInfo|contains: 'get-ADPrincipalGroupMembership' selection_get_aduser: - Payload|contains|all: - - get-aduser - - '-f ' - - '-pr ' - - DoesNotRequirePreAuth + - get-aduser + - '-f ' + - '-pr ' + - DoesNotRequirePreAuth - ContextInfo|contains|all: - - get-aduser - - '-f ' - - '-pr ' - - DoesNotRequirePreAuth + - get-aduser + - '-f ' + - '-pr ' + - DoesNotRequirePreAuth condition: 1 of selection_* falsepositives: - Administrator script diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index 52d229e37..4d8c034ea 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -20,18 +20,18 @@ logsource: detection: test_3: - Payload|contains: - - 'get-localgroup' - - 'Get-LocalGroupMember' + - 'get-localgroup' + - 'Get-LocalGroupMember' - ContextInfo|contains: - - 'get-localgroup' - - 'Get-LocalGroupMember' + - 'get-localgroup' + - 'Get-LocalGroupMember' test_6: - Payload|contains|all: - - 'Get-WMIObject' - - 'Win32_Group' + - 'Get-WMIObject' + - 'Win32_Group' - ContextInfo|contains|all: - - 'Get-WMIObject' - - 'Win32_Group' + - 'Get-WMIObject' + - 'Win32_Group' condition: 1 of test_* falsepositives: - Administrator script diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index ba5bf7bd0..19ff119b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -22,7 +22,7 @@ detection: - 'Function Get-ADRExcelComOb' - 'Get-ADRGPO' - 'Get-ADRDomainController' - - 'ADRecon-Report.xlsx' #Default + - 'ADRecon-Report.xlsx' # Default condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml index 421ddfbc5..f664d84bf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -16,7 +16,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection: - #4194304 DONT_REQ_PREAUTH + # 4194304 DONT_REQ_PREAUTH ScriptBlockText|contains|all: - 'Get-ADUser' - '-Filter' diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml index d29d8094f..d85c0d3a5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml @@ -29,7 +29,7 @@ detection: - 'Windows-Defender-Features' - 'Windows-Defender' - 'Windows-Defender-ApplicationGuard' - #- 'Containers-DisposableClientVM' # Windows Sandbox + # - 'Containers-DisposableClientVM' # Windows Sandbox condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml index a74722799..4d15f4b03 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -21,7 +21,7 @@ detection: selection_1: ScriptBlockText|contains: '[Type]::GetTypeFromCLSID(' selection_2: - ScriptBlockText|contains: + ScriptBlockText|contains: - '0002DF01-0000-0000-C000-000000000046' - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4' - 'F5078F35-C551-11D3-89B9-0000F81FE221' diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index aed9a907b..58c82cffe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -20,9 +20,9 @@ logsource: category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: - selection_pwsh_remove: #Autologger provider removal + selection_pwsh_remove: # Autologger provider removal ScriptBlockText|contains: 'Remove-EtwTraceProvider ' - selection_pwsh_set: #Provider โ€œEnableโ€ property modification + selection_pwsh_set: # Provider โ€œEnableโ€ property modification ScriptBlockText|contains|all: - 'Set-EtwTraceProvider ' - '0x11' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index d5c94e644..d11c2be87 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -18,11 +18,11 @@ detection: selection_cmdlet: - ScriptBlockText|contains: 'Invoke-DNSExfiltrator' - ScriptBlockText|contains|all: - - ' -i ' - - ' -d ' - - ' -p ' - - ' -doh ' - - ' -t ' + - ' -i ' + - ' -d ' + - ' -p ' + - ' -doh ' + - ' -t ' condition: selection_cmdlet falsepositives: - Legitimate script diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 6cb959913..b3d1e46ce 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -3,7 +3,7 @@ id: 73e67340-0d25-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 8c15056ec..004b6b437 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -3,7 +3,7 @@ id: 779c8c12-0eb1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 25) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/03 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 414513be8..4a65450e2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -3,7 +3,7 @@ id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 971dbfc10..045bc20c0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -3,7 +3,7 @@ id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index 12648f6c8..c2bacdaeb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -3,7 +3,7 @@ id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 8f67dd331..51b97ac65 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -3,7 +3,7 @@ id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index 84982838b..b9801bd8d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -3,7 +3,7 @@ id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task29) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index 12c37194d..1a9c97915 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: e55a5195-4724-480e-a77e-3ebe64bd3759 status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2022/11/29 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 408520e48..e162cabef 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -3,7 +3,7 @@ id: e54f5149-6ba3-49cf-b153-070d24679126 status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index 989e45185..fde73676a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -19,7 +19,7 @@ detection: ScriptBlockText|contains: - 'AdjustTokenPrivileges' - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC' - #- 'LSA_UNICODE_STRING' + # - 'LSA_UNICODE_STRING' - 'Metasploit' - 'Microsoft.Win32.UnsafeNativeMethods' - 'Mimikatz' diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 0b587d2e4..1da9d4f78 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -18,9 +18,9 @@ detection: selection: ScriptBlockText|contains: - 'Add-ConstrainedDelegationBackdoor' - #- 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - #- 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - #- 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Copy-VSS' - 'Create-MultipleSessions' - 'DataToEncode' @@ -44,14 +44,14 @@ detection: - 'FireBuster' - 'FireListener' - 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary - #- 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Get-PassHints' - 'Get-Web-Credentials' - 'Get-WebCredentials' - 'Get-WLAN-Keys' - #- 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'HTTP-Backdoor' - #- 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Invoke-AmsiBypass' - 'Invoke-BruteForce' - 'Invoke-CredentialsPhish' @@ -62,18 +62,18 @@ detection: - 'Invoke-JSRatRundll' - 'Invoke-MimikatzWDigestDowngrade' - 'Invoke-NetworkRelay' - #- 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - #- 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Invoke-PowerShellIcmp' - 'Invoke-PowerShellUdp' - 'Invoke-Prasadhak' - 'Invoke-PSGcat' - 'Invoke-PsGcatAgent' - #- 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Invoke-SessionGopher' - 'Invoke-SSIDExfil' - #- Jitter # Prone to FPs - #- 'Keylogger' # Too generic to be linked to Nishang + # - Jitter # Prone to FPs + # - 'Keylogger' # Too generic to be linked to Nishang - 'LoggedKeys' - 'Nishang' - 'NotAllNameSpaces' # This is param to "Set-RemoteWMI" diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index 373c4db15..2bca32e43 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -19,7 +19,7 @@ detection: ScriptBlockText|contains: - 'Invoke-SMBAutoBrute' - 'Invoke-GPOLinks' - #- 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Invoke-Potato' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 3643ded65..63206ed53 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna + - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 modified: 2022/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index c1d743df2..adf5411b2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -31,8 +31,8 @@ detection: - 'SuspendThread' - 'rundll32' # - 'FromBase64' - #- 'Invoke-WMIMethod' # Prone to FP - #- 'http://127.0.0.1' # Prone to FP + # - 'Invoke-WMIMethod' # Prone to FP + # - 'http://127.0.0.1' # Prone to FP condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index a4f4f46c3..568b04977 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -25,7 +25,7 @@ detection: # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString # ${e`Nv:pATh} - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' - #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme + # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' filter_chocolatey: diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 9cab3e260..12e28077d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -18,15 +18,15 @@ logsource: detection: selection_ioc: - ScriptBlockText|contains|all: - - 'New-CimInstance ' - - '-Namespace root/subscription ' - - '-ClassName __EventFilter ' - - '-Property ' #is a variable name + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName __EventFilter ' + - '-Property ' # is a variable name - ScriptBlockText|contains|all: - - 'New-CimInstance ' - - '-Namespace root/subscription ' - - '-ClassName CommandLineEventConsumer ' - - '-Property ' #is a variable name + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName CommandLineEventConsumer ' + - '-Property ' # is a variable name condition: selection_ioc falsepositives: - Unknown diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 82d8dd88d..824d90902 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -28,7 +28,7 @@ detection: SourceImage|endswith: 'vcredist_x64.exe' filter_main_4: TargetImage|endswith: ':\Windows\system32\systeminfo.exe' - SourceImage|endswith: 'setup64.exe' #vmware + SourceImage|endswith: 'setup64.exe' # vmware filter_main_5: TargetImage|endswith: 'AmazonSSMAgentSetup.exe' SourceImage|endswith: 'AmazonSSMAgentSetup.exe' diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index eb8e1ca5a..4f6fa422e 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -23,15 +23,15 @@ detection: filter_generic: # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights - SourceImage|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' - TargetImage|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' filter_thor: SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' SourceImage|endswith: '\thor64.exe' diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index ccda539e6..b7be6357d 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -21,12 +21,12 @@ detection: selection: TargetImage|endswith: '\lsass.exe' GrantedAccess|contains: - #- '0x1fffff' # Too many false positives - #- '0x01000' # Too many false positives - #- '0x1010' # Too many false positives + # - '0x1fffff' # Too many false positives + # - '0x01000' # Too many false positives + # - '0x1010' # Too many false positives - '0x1038' # - '0x40' # Too many false positives - #- '0x1400' # Too many false positives + # - '0x1400' # Too many false positives # - '0x1410' # Too many false positives - '0x1438' - '0x143a' diff --git a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index f3d53fb2c..70612f8b6 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -20,12 +20,12 @@ detection: selection_img: - Description|contains: '7-Zip' - Image|endswith: - - '\7z.exe' - - '\7zr.exe' - - '\7za.exe' + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' - OriginalFileName: - - '7z.exe' - - '7za.exe' + - '7z.exe' + - '7za.exe' selection_extension: CommandLine|contains: - '.dmp' diff --git a/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml b/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml index 07b288bbc..a32f1a038 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml @@ -17,12 +17,12 @@ detection: selection_img: - Description|contains: '7-Zip' - Image|endswith: - - '\7z.exe' - - '\7zr.exe' - - '\7za.exe' + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' - OriginalFileName: - - '7z.exe' - - '7za.exe' + - '7z.exe' + - '7za.exe' selection_password: CommandLine|contains: ' -p' selection_action: diff --git a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml b/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml index 7927b71fa..97f5bbc89 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -16,12 +16,12 @@ detection: selection_img: - Description|contains: '7-Zip' - Image|endswith: - - '\7z.exe' - - '\7zr.exe' - - '\7za.exe' + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' - OriginalFileName: - - '7z.exe' - - '7za.exe' + - '7z.exe' + - '7za.exe' selection_password: CommandLine|contains|all: - ' -p' diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index a353c6c49..ad09e3ef8 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -26,16 +26,16 @@ detection: selection_child: # Note: add other potential suspicious child processes and paths - Image|endswith: - - '\calc.exe' - - '\notepad.exe' + - '\calc.exe' + - '\notepad.exe' - Image|contains: - - '\Users\Public\' - - '\AppData\Local\Temp\' - - '\AppData\Local\Roaming\' - - ':\Temp\' - - ':\Windows\Temp\' - - ':\Windows\System32\Tasks\' - - ':\Windows\Tasks\' + - '\Users\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Local\Roaming\' + - ':\Temp\' + - ':\Windows\Temp\' + - ':\Windows\System32\Tasks\' + - ':\Windows\Tasks\' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index 4231de2fa..fde7ab4d9 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -16,8 +16,8 @@ logsource: detection: selection_img: - Image|endswith: - - ':\Windows\System32\bash.exe' - - ':\Windows\SysWOW64\bash.exe' + - ':\Windows\System32\bash.exe' + - ':\Windows\SysWOW64\bash.exe' - OriginalFileName: 'Bash.exe' selection_cli: CommandLine|contains: ' -c ' diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index ee152fff4..9b467f6d2 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -20,8 +20,8 @@ logsource: detection: selection: - Image|endswith: - - ':\Windows\System32\bash.exe' - - ':\Windows\SysWOW64\bash.exe' + - ':\Windows\System32\bash.exe' + - ':\Windows\SysWOW64\bash.exe' - OriginalFileName: 'Bash.exe' filter_main_cli_flag: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml index 61d7dde7e..c0027a638 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml @@ -22,11 +22,11 @@ detection: CommandLine|contains: 'set' selection_cli: - CommandLine|contains|all: - - 'bootstatuspolicy' - - 'ignoreallfailures' + - 'bootstatuspolicy' + - 'ignoreallfailures' - CommandLine|contains|all: - - 'recoveryenabled' - - 'no' + - 'recoveryenabled' + - 'no' condition: all of selection_* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index 3f7eb4d44..9ab5dc958 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -26,21 +26,21 @@ detection: - '\bginfo64.exe' selection_child: - Image|endswith: - - '\calc.exe' - - '\cmd.exe' - - '\cscript.exe' - - '\mshta.exe' - - '\notepad.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\wscript.exe' + - '\calc.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' - Image|contains: - - '\AppData\Local\' - - '\AppData\Roaming\' - - ':\Users\Public\' - - ':\Temp\' - - ':\Windows\Temp\' - - ':\PerfLogs\' + - '\AppData\Local\' + - '\AppData\Roaming\' + - ':\Users\Public\' + - ':\Temp\' + - ':\Windows\Temp\' + - ':\PerfLogs\' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 58c8d04f9..a3eaa05e5 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -40,29 +40,29 @@ detection: - '://7' - '://8' - '://9' - #filter_local_ips: - # # Note: Uncomment this filter if you want to exclude local IPs - # CommandLine|contains: - # - '://10.' #10.0.0.0/8 - # - '://192.168.' #192.168.0.0/16 - # - '://172.16.' #172.16.0.0/12 - # - '://172.17.' - # - '://172.18.' - # - '://172.19.' - # - '://172.20.' - # - '://172.21.' - # - '://172.22.' - # - '://172.23.' - # - '://172.24.' - # - '://172.25.' - # - '://172.26.' - # - '://172.27.' - # - '://172.28.' - # - '://172.29.' - # - '://172.30.' - # - '://172.31.' - # - '://127.' #127.0.0.0/8 - # - '://169.254.' #169.254.0.0/16 + # filter_local_ips: + # # Note: Uncomment this filter if you want to exclude local IPs + # CommandLine|contains: + # - '://10.' # 10.0.0.0/8 + # - '://192.168.' # 192.168.0.0/16 + # - '://172.16.' # 172.16.0.0/12 + # - '://172.17.' + # - '://172.18.' + # - '://172.19.' + # - '://172.20.' + # - '://172.21.' + # - '://172.22.' + # - '://172.23.' + # - '://172.24.' + # - '://172.25.' + # - '://172.26.' + # - '://172.27.' + # - '://172.28.' + # - '://172.29.' + # - '://172.30.' + # - '://172.31.' + # - '://127.' # 127.0.0.0/8 + # - '://169.254.' # 169.254.0.0/16 filter_seven_zip: CommandLine|contains: '://7-' # For https://7-zip.org/ condition: all of selection_* and not 1 of filter_* diff --git a/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml b/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml index 8298ead13..c77506e5f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml @@ -21,13 +21,13 @@ detection: - OriginalFileName: 'cmd.exe' selection_flags: - ParentCommandLine|contains: - - '/c' - - '/k' - - '/r' + - '/c' + - '/k' + - '/r' - CommandLine|contains: - - '/c' - - '/k' - - '/r' + - '/c' + - '/k' + - '/r' selection_path_traversal: - ParentCommandLine: '/../../' - CommandLine|contains: '/../../' diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 1f5e3cb53..34f0c4aca 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -38,21 +38,21 @@ detection: selection_parent_susp_location: - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$' - ParentCommandLine|contains: - - ':\Users\Public\' - - ':\PerfLogs\' - - '\Temporary Internet' + - ':\Users\Public\' + - ':\PerfLogs\' + - '\Temporary Internet' - ParentCommandLine|contains|all: - - ':\Users\' - - '\Favorites\' + - ':\Users\' + - '\Favorites\' - ParentCommandLine|contains|all: - - ':\Users\' - - '\Favourites\' + - ':\Users\' + - '\Favourites\' - ParentCommandLine|contains|all: - - ':\Users\' - - '\Contacts\' + - ':\Users\' + - '\Contacts\' - ParentCommandLine|contains|all: - - ':\Users\' - - '\Pictures\' + - ':\Users\' + - '\Pictures\' filter_optional_ansible: # Note: As ansible is widely used we exclude it with this generic filter. # A better option would be to filter based on script content basis or other marker while hunting diff --git a/rules/windows/process_creation/proc_creation_win_csi_execution.yml b/rules/windows/process_creation/proc_creation_win_csi_execution.yml index 41326e42e..ef3010a15 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_execution.yml @@ -21,11 +21,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\csi.exe' - - '\rcsi.exe' + - '\csi.exe' + - '\rcsi.exe' - OriginalFileName: - - 'csi.exe' - - 'rcsi.exe' + - 'csi.exe' + - 'rcsi.exe' selection_cli: Company: 'Microsoft Corporation' condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index 9e3662582..cfbc94e7f 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -23,15 +23,15 @@ detection: - OriginalFileName: 'drvqry.exe' selection_parent: - ParentImage|endswith: - - '\cscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - ParentImage|contains: - - '\AppData\Local\' - - '\Users\Public\' - - '\Windows\Temp\' + - '\AppData\Local\' + - '\Users\Public\' + - '\Windows\Temp\' condition: all of selection_* falsepositives: - Legitimate usage by some scripts might trigger this as well diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index 5144dee4f..ace3c60f0 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -23,15 +23,15 @@ detection: - OriginalFileName: 'drvqry.exe' filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting - ParentImage|endswith: - - '\cscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - ParentImage|contains: - - '\AppData\Local\' - - '\Users\Public\' - - '\Windows\Temp\' + - '\AppData\Local\' + - '\Users\Public\' + - '\Windows\Temp\' condition: selection and not 1 of filter_main_* falsepositives: - Legitimate use by third party tools in order to investigate installed drivers diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml index db3a11027..435472c69 100644 --- a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml +++ b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml @@ -20,19 +20,19 @@ detection: ParentCommandLine|contains|all: - '/Online' - '/Disable-Feature' - #- '/FeatureName:' - #- '/Remove' - #/NoRestart - #/quiet + # - '/FeatureName:' + # - '/Remove' + # /NoRestart + # /quiet selection_dism: Image|endswith: '\Dism.exe' CommandLine|contains|all: - '/Online' - '/Disable-Feature' - #- '/FeatureName:' - #- '/Remove' - #/NoRestart - #/quiet + # - '/FeatureName:' + # - '/Remove' + # /NoRestart + # /quiet condition: 1 of selection_* falsepositives: - Legitimate script diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml index 22c3b941c..5b2b08770 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -20,13 +20,13 @@ logsource: detection: selection_img: - Image|endswith: - - '\DumpMinitool.exe' - - '\DumpMinitool.x86.exe' - - '\DumpMinitool.arm64.exe' + - '\DumpMinitool.exe' + - '\DumpMinitool.x86.exe' + - '\DumpMinitool.arm64.exe' - OriginalFileName: - - 'DumpMinitool.exe' - - 'DumpMinitool.x86.exe' - - 'DumpMinitool.arm64.exe' + - 'DumpMinitool.exe' + - 'DumpMinitool.x86.exe' + - 'DumpMinitool.arm64.exe' selection_cli: CommandLine|contains: - ' Full' diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index 00f23d8d9..c8fca0f7d 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -19,13 +19,13 @@ logsource: detection: selection: - Image|endswith: - - '\DumpMinitool.exe' - - '\DumpMinitool.x86.exe' - - '\DumpMinitool.arm64.exe' + - '\DumpMinitool.exe' + - '\DumpMinitool.x86.exe' + - '\DumpMinitool.arm64.exe' - OriginalFileName: - - 'DumpMinitool.exe' - - 'DumpMinitool.x86.exe' - - 'DumpMinitool.arm64.exe' + - 'DumpMinitool.exe' + - 'DumpMinitool.x86.exe' + - 'DumpMinitool.arm64.exe' filter_folder: Image|contains: - '\Microsoft Visual Studio\' diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index e908c8136..392084eaf 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -21,7 +21,7 @@ detection: - '.cab' - '/F:' - '-F:' - - 'C:\ProgramData\' #Suspicious paths to curb FPs if any + - 'C:\ProgramData\' # Suspicious paths to curb FPs if any - 'C:\Public\' - '\AppData\Local\Temp\' - '\AppData\Roaming\Temp\' diff --git a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml index 1fa3195b0..133e05358 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -25,8 +25,8 @@ detection: # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique. - CommandLine|contains|all: - - 'explorer.exe' - - ' /root,' + - 'explorer.exe' + - ' /root,' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml index 65f53c7fc..3db20c367 100644 --- a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml @@ -16,8 +16,8 @@ logsource: detection: selection_img: - Image|endswith: - - '\git.exe' - - '\git-remote-https.exe' + - '\git.exe' + - '\git-remote-https.exe' - OriginalFileName: 'git.exe' selection_cli: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index 7ff24bfd4..89b970ea3 100644 --- a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -22,9 +22,9 @@ detection: # Some other legit child process might exist. It's better to make a baseline before running this in production - Image|contains: '\Google' # Example: GoogleUpdate.exe, GoogleCrashHandler.exe, GoogleUpdateComRegisterShell64.exe - Image|endswith: - - '\setup.exe' - - 'chrome_updater.exe' - - 'chrome_installer.exe' + - '\setup.exe' + - 'chrome_updater.exe' + - 'chrome_installer.exe' filter_main_image_null: Image: null condition: selection and not 1 of filter_main_* diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml index 856b5a3d7..7f1f207da 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -16,8 +16,8 @@ logsource: detection: selection_metadata: - Image|endswith: - - '\gpg.exe' - - '\gpg2.exe' + - '\gpg.exe' + - '\gpg2.exe' - Description: 'GnuPGโ€™s OpenPGP tool' selection_cli: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml index 3691d1022..4b692d985 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -16,8 +16,8 @@ logsource: detection: selection_metadata: - Image|endswith: - - '\gpg.exe' - - '\gpg2.exe' + - '\gpg.exe' + - '\gpg2.exe' - Description: 'GnuPGโ€™s OpenPGP tool' selection_cli: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 1101f32c3..715413718 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -17,8 +17,8 @@ logsource: detection: selection: - Image|endswith: - - '\gpg.exe' - - '\gpg2.exe' + - '\gpg.exe' + - '\gpg2.exe' - OriginalFileName: 'gpg.exe' - Description: 'GnuPGโ€™s OpenPGP tool' filter_main_legit_location: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml index 24f49c3c5..c23848413 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -16,8 +16,8 @@ logsource: detection: selection_metadata: - Image|endswith: - - '\gpg.exe' - - '\gpg2.exe' + - '\gpg.exe' + - '\gpg2.exe' - Product: 'GNU Privacy Guard (GnuPG)' - Description: 'GnuPGโ€™s OpenPGP tool' selection_cli: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml b/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml index b60f4de60..b53d6d615 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml @@ -25,11 +25,11 @@ detection: - Product|contains: 'SharpHound' - Description|contains: 'SharpHound' - Company|contains: - - 'SpecterOps' - - 'evil corp' + - 'SpecterOps' + - 'evil corp' - Image|contains: - - '\Bloodhound.exe' - - '\SharpHound.exe' + - '\Bloodhound.exe' + - '\SharpHound.exe' selection_cli_1: CommandLine|contains: - ' -CollectionMethod All ' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml index 73030ed2a..3b37c3609 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml @@ -20,8 +20,8 @@ detection: - Image|endswith: '\rundll32.exe' - OriginalFileName: RUNDLL32.EXE - CommandLine|contains: - - 'rundll32.exe' - - 'rundll32 ' + - 'rundll32.exe' + - 'rundll32 ' selection_params: CommandLine|contains: '.dll' CommandLine|endswith: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index a15f5d4e5..3bc54475a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -21,13 +21,13 @@ detection: CommandLine|contains: ' --exploitId ' selection_loader_imphash: - Imphash: - - 'a75d7669db6b2e107a44c4057ff7f7d6' - - 'f91624350e2c678c5dcbe5e1f24e22c9' - - '14c81850a079a87e83d50ca41c709a15' + - 'a75d7669db6b2e107a44c4057ff7f7d6' + - 'f91624350e2c678c5dcbe5e1f24e22c9' + - '14c81850a079a87e83d50ca41c709a15' - Hashes: - - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6' - - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9' - - 'IMPHASH=14C81850A079A87E83D50CA41C709A15' + - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6' + - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9' + - 'IMPHASH=14C81850A079A87E83D50CA41C709A15' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml index d15da8c8a..669167d03 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli: CommandLine|contains: - 'join*split' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index 3ea7a774b..ee89630b6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -17,181 +17,181 @@ logsource: detection: selection: - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook condition: selection falsepositives: - Legitimate use of one of these tools diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index 689518084..d51c41ec2 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -19,11 +19,11 @@ detection: CommandLine|contains: '--pid:' selection_loader_imphash: - Imphash: - - '38d9e015591bbfd4929e0d0f47fa0055' - - '0e2216679ca6e1094d63322e3412d650' + - '38d9e015591bbfd4929e0d0f47fa0055' + - '0e2216679ca6e1094d63322e3412d650' - Hashes: - - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055' - - 'IMPHASH=0E2216679CA6E1094D63322E3412D650' + - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055' + - 'IMPHASH=0E2216679CA6E1094D63322E3412D650' selection_flags: CommandLine|contains|all: - '--pid:' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml index 6cc5da8ad..ab18d5659 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -16,57 +16,57 @@ logsource: detection: selection: - Image|contains: - - '\goldenPac' - - '\karmaSMB' - - '\kintercept' - - '\ntlmrelayx' - - '\rpcdump' - - '\samrdump' - - '\secretsdump' - - '\smbexec' - - '\smbrelayx' - - '\wmiexec' - - '\wmipersist' + - '\goldenPac' + - '\karmaSMB' + - '\kintercept' + - '\ntlmrelayx' + - '\rpcdump' + - '\samrdump' + - '\secretsdump' + - '\smbexec' + - '\smbrelayx' + - '\wmiexec' + - '\wmipersist' - Image|endswith: - # - '\addcomputer_windows.exe' - - '\atexec_windows.exe' - - '\dcomexec_windows.exe' - - '\dpapi_windows.exe' - # - '\esentutl_windows.exe' - - '\findDelegation_windows.exe' - - '\GetADUsers_windows.exe' - # - '\getArch_windows.exe' - - '\GetNPUsers_windows.exe' - - '\getPac_windows.exe' - - '\getST_windows.exe' - - '\getTGT_windows.exe' - - '\GetUserSPNs_windows.exe' - - '\ifmap_windows.exe' - # - '\lookupsid_windows.exe' - - '\mimikatz_windows.exe' - # - '\mqtt_check_windows.exe' - # - '\mssqlclient_windows.exe' - # - '\mssqlinstance_windows.exe' - - '\netview_windows.exe' - - '\nmapAnswerMachine_windows.exe' - #- '\ntfs-read_windows.exe' - - '\opdump_windows.exe' - # - '\ping6_windows.exe' - # - '\ping_windows.exe' - - '\psexec_windows.exe' - # - '\raiseChild_windows.exe' - - '\rdp_check_windows.exe' - #- '\registry-read_windows.exe' - #- '\reg_windows.exe' - - '\sambaPipe_windows.exe' - # - '\services_windows.exe' - - '\smbclient_windows.exe' - - '\smbserver_windows.exe' - - '\sniffer_windows.exe' - - '\sniff_windows.exe' - - '\split_windows.exe' - - '\ticketer_windows.exe' - # - '\wmiquery_windows.exe' + # - '\addcomputer_windows.exe' + - '\atexec_windows.exe' + - '\dcomexec_windows.exe' + - '\dpapi_windows.exe' + # - '\esentutl_windows.exe' + - '\findDelegation_windows.exe' + - '\GetADUsers_windows.exe' + # - '\getArch_windows.exe' + - '\GetNPUsers_windows.exe' + - '\getPac_windows.exe' + - '\getST_windows.exe' + - '\getTGT_windows.exe' + - '\GetUserSPNs_windows.exe' + - '\ifmap_windows.exe' + # - '\lookupsid_windows.exe' + - '\mimikatz_windows.exe' + # - '\mqtt_check_windows.exe' + # - '\mssqlclient_windows.exe' + # - '\mssqlinstance_windows.exe' + - '\netview_windows.exe' + - '\nmapAnswerMachine_windows.exe' + # - '\ntfs-read_windows.exe' + - '\opdump_windows.exe' + # - '\ping6_windows.exe' + # - '\ping_windows.exe' + - '\psexec_windows.exe' + # - '\raiseChild_windows.exe' + - '\rdp_check_windows.exe' + # - '\registry-read_windows.exe' + # - '\reg_windows.exe' + - '\sambaPipe_windows.exe' + # - '\services_windows.exe' + - '\smbclient_windows.exe' + - '\smbserver_windows.exe' + - '\sniffer_windows.exe' + - '\sniff_windows.exe' + - '\split_windows.exe' + - '\ticketer_windows.exe' + # - '\wmiquery_windows.exe' condition: selection falsepositives: - Legitimate use of the impacket tools diff --git a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml index f2fa8f6ec..c2e1e91cc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml @@ -18,15 +18,15 @@ detection: selection: - Image|endswith: '\Inveigh.exe' - OriginalFileName: - - '\Inveigh.exe' - - '\Inveigh.dll' + - '\Inveigh.exe' + - '\Inveigh.dll' - Description: 'Inveigh' - CommandLine|contains: - - ' -SpooferIP' - - ' -ReplyToIPs ' - - ' -ReplyToDomains ' - - ' -ReplyToMACs ' - - ' -SnifferIP' + - ' -SpooferIP' + - ' -ReplyToIPs ' + - ' -ReplyToDomains ' + - ' -ReplyToMACs ' + - ' -SnifferIP' condition: selection falsepositives: - Very unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml index fa8edcc5e..549ee05c4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml @@ -3,7 +3,7 @@ id: b222df08-0e07-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/11/17 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml index 2bce3f96e..80ec9d73a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml @@ -3,7 +3,7 @@ id: 6c96fc76-0eb1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 25) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/17 @@ -29,8 +29,8 @@ detection: selection_other: - CommandLine|contains: 'noexit' - CommandLine|contains|all: - - 'input' - - '$' + - 'input' + - '$' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml index 1b7c2a270..d5603d93e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml @@ -3,7 +3,7 @@ id: 27aec9c9-dbb0-4939-8422-1742242471d0 status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/17 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml index 0d3e79e2e..4516306fb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml @@ -3,7 +3,7 @@ id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/12/29 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml index cf9fbbfee..b28a3c35d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml @@ -3,7 +3,7 @@ id: 9c14c9fa-1a63-4a64-8e57-d19280559490 status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/16 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml index 74bf46718..462132514 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml @@ -3,7 +3,7 @@ id: e1561947-b4e3-4a74-9bdd-83baed21bdb5 status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task29) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/16 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml index c49ccb4d3..9d636d2ce 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: ac20ae82-8758-4f38-958e-b44a3140ca88 status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2022/03/08 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml index 1d1156c95..27bf68125 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml @@ -3,7 +3,7 @@ id: e9f55347-2928-4c06-88e5-1a7f8169942e status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27) + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/11/16 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml index ffd68c88d..9bc185ef3 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml @@ -25,17 +25,17 @@ detection: - 'mimikatz' selection_function_names: # To cover functions from modules that are not in module_names CommandLine|contains: - - '::aadcookie' #misc module - - '::detours' #misc module - - '::memssp' #misc module - - '::mflt' #misc module - - '::ncroutemon' #misc module - - '::ngcsign' #misc module - - '::printnightmare' #misc module - - '::skeleton' #misc module - - '::preshutdown' #service module - - '::mstsc' #ts module - - '::multirdp' #ts module + - '::aadcookie' # misc module + - '::detours' # misc module + - '::memssp' # misc module + - '::mflt' # misc module + - '::ncroutemon' # misc module + - '::ngcsign' # misc module + - '::printnightmare' # misc module + - '::skeleton' # misc module + - '::preshutdown' # service module + - '::mstsc' # ts module + - '::multirdp' # ts module selection_module_names: CommandLine|contains: - 'rpc::' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 39da0d883..3dc568dbb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -40,17 +40,17 @@ detection: - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663' selection_hash_values: - md5: - - '228dd0c2e6287547e26ffbd973a40f14' - - '987b65cd9b9f4e9a1afd8f8b48cf64a7' + - '228dd0c2e6287547e26ffbd973a40f14' + - '987b65cd9b9f4e9a1afd8f8b48cf64a7' - sha1: - - '5f1cbc3d99558307bc1250d084fa968521482025' - - '3fb89787cb97d902780da080545584d97fb1c2eb' + - '5f1cbc3d99558307bc1250d084fa968521482025' + - '3fb89787cb97d902780da080545584d97fb1c2eb' - sha256: - - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32' - - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c' + - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32' + - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c' - Imphash: - - '444d210cea1ff8112f256a4997eed7ff' - - '0479f44df47cfa2ef1ccc4416a538663' + - '444d210cea1ff8112f256a4997eed7ff' + - '0479f44df47cfa2ef1ccc4416a538663' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml index 34de32a7d..dd4760d86 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml @@ -19,8 +19,8 @@ logsource: detection: selection: - Image|endswith: - - '\PowerTool.exe' - - '\PowerTool64.exe' + - '\PowerTool.exe' + - '\PowerTool64.exe' - OriginalFileName: 'PowerTool.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml index b08e8252f..7d8d1f594 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml @@ -27,21 +27,21 @@ detection: - OriginalFileName: 'Rubeus.exe' - Description: 'Rubeus' - CommandLine|contains: - - 'asreproast ' - - 'dump /service:krbtgt ' - - 'dump /luid:0x' - - 'kerberoast ' - - 'createnetonly /program:' - - 'ptt /ticket:' - - '/impersonateuser:' - - 'renew /ticket:' - - 'asktgt /user:' - - 'harvest /interval:' - - 's4u /user:' - - 's4u /ticket:' - - 'hash /password:' - - 'golden /aes256:' - - 'silver /user:' + - 'asreproast ' + - 'dump /service:krbtgt ' + - 'dump /luid:0x' + - 'kerberoast ' + - 'createnetonly /program:' + - 'ptt /ticket:' + - '/impersonateuser:' + - 'renew /ticket:' + - 'asktgt /user:' + - 'harvest /interval:' + - 's4u /user:' + - 's4u /ticket:' + - 'hash /password:' + - 'golden /aes256:' + - 'silver /user:' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index cdf9062a4..41e01b544 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -20,33 +20,33 @@ detection: selection: - Image|endswith: '\SelectMyParent.exe' - CommandLine|contains: - - 'PPID-spoof' - - 'ppid_spoof' - - 'spoof-ppid' - - 'spoof_ppid' - - 'ppidspoof' - - 'spoofppid' - - 'spoofedppid' - - ' -spawnto ' + - 'PPID-spoof' + - 'ppid_spoof' + - 'spoof-ppid' + - 'spoof_ppid' + - 'ppidspoof' + - 'spoofppid' + - 'spoofedppid' + - ' -spawnto ' - OriginalFileName|contains: - - 'PPID-spoof' - - 'ppid_spoof' - - 'spoof-ppid' - - 'spoof_ppid' - - 'ppidspoof' - - 'spoofppid' - - 'spoofedppid' + - 'PPID-spoof' + - 'ppid_spoof' + - 'spoof-ppid' + - 'spoof_ppid' + - 'ppidspoof' + - 'spoofppid' + - 'spoofedppid' - Description: 'SelectMyParent' - Imphash: - - '04d974875bd225f00902b4cad9af3fbc' - - 'a782af154c9e743ddf3f3eb2b8f3d16e' - - '89059503d7fbf470e68f7e63313da3ad' - - 'ca28337632625c8281ab8a130b3d6bad' + - '04d974875bd225f00902b4cad9af3fbc' + - 'a782af154c9e743ddf3f3eb2b8f3d16e' + - '89059503d7fbf470e68f7e63313da3ad' + - 'ca28337632625c8281ab8a130b3d6bad' - Hashes|contains: - - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC' - - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E' - - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD' - - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD' + - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC' + - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E' + - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD' + - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index 4ef158fbe..2646ea730 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -25,14 +25,14 @@ detection: - OriginalFileName: 'SharpImpersonation.exe' selection_cli: - CommandLine|contains|all: - - ' user:' - - ' binary:' + - ' user:' + - ' binary:' - CommandLine|contains|all: - - ' user:' - - ' shellcode:' + - ' user:' + - ' shellcode:' - CommandLine|contains: - - ' technique:CreateProcessAsUserW' - - ' technique:ImpersonateLoggedOnuser' + - ' technique:CreateProcessAsUserW' + - ' technique:ImpersonateLoggedOnuser' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml index 3713e7551..b2ad94f10 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -21,8 +21,8 @@ detection: - Image|endswith: '\SharpEvtMute.exe' - Description: 'SharpEvtMute' - CommandLine|contains: - - '--Filter "rule ' - - '--Encoded --Filter \"' + - '--Filter "rule ' + - '--Encoded --Filter \"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index 852ec4ce9..92acde4c3 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -20,13 +20,13 @@ detection: - Image|endswith: '\SharpUp.exe' - Description: 'SharpUp' - CommandLine|contains: - - 'HijackablePaths' - - 'UnquotedServicePath' - - 'ProcessDLLHijack' - - 'ModifiableServiceBinaries' - - 'ModifiableScheduledTask' - - 'DomainGPPPassword' - - 'CachedGPPPassword' + - 'HijackablePaths' + - 'UnquotedServicePath' + - 'ProcessDLLHijack' + - 'ModifiableServiceBinaries' + - 'ModifiableScheduledTask' + - 'DomainGPPPassword' + - 'CachedGPPPassword' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml index fbfa8dd75..1e254e2c0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml @@ -27,114 +27,114 @@ detection: - OriginalFileName: 'SharpView.exe' - Image|endswith: '\SharpView.exe' - CommandLine|contains: - #- 'Add-DomainGroupMember' - #- 'Add-DomainObjectAcl' - #- 'Add-ObjectAcl' - - 'Add-RemoteConnection' - - 'Convert-ADName' - - 'ConvertFrom-SID' - - 'ConvertFrom-UACValue' - - 'Convert-SidToName' - #- 'ConvertTo-SID' - - 'Export-PowerViewCSV' - #- 'Find-DomainLocalGroupMember' - - 'Find-DomainObjectPropertyOutlier' - - 'Find-DomainProcess' - - 'Find-DomainShare' - - 'Find-DomainUserEvent' - - 'Find-DomainUserLocation' - - 'Find-ForeignGroup' - - 'Find-ForeignUser' - - 'Find-GPOComputerAdmin' - - 'Find-GPOLocation' - - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile' - - 'Find-LocalAdminAccess' - - 'Find-ManagedSecurityGroups' - #- 'Get-ADObject' - - 'Get-CachedRDPConnection' - - 'Get-DFSshare' - #- 'Get-DNSRecord' - #- 'Get-DNSZone' - #- 'Get-Domain' - - 'Get-DomainComputer' - - 'Get-DomainController' - - 'Get-DomainDFSShare' - - 'Get-DomainDNSRecord' - #- 'Get-DomainDNSZone' - - 'Get-DomainFileServer' - - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser' - - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping' - - 'Get-DomainGroup' # 'Get-DomainGroupMember' - - 'Get-DomainGUIDMap' - - 'Get-DomainManagedSecurityGroup' - - 'Get-DomainObject' # 'Get-DomainObjectAcl' - - 'Get-DomainOU' - - 'Get-DomainPolicy' # 'Get-DomainPolicyData' - - 'Get-DomainSID' - - 'Get-DomainSite' - - 'Get-DomainSPNTicket' - - 'Get-DomainSubnet' - - 'Get-DomainTrust' # 'Get-DomainTrustMapping' - #- 'Get-DomainUser' - - 'Get-DomainUserEvent' - #- 'Get-Forest' - - 'Get-ForestDomain' - - 'Get-ForestGlobalCatalog' - - 'Get-ForestTrust' - - 'Get-GptTmpl' - - 'Get-GroupsXML' - #- 'Get-GUIDMap' - #- 'Get-IniContent' - #- 'Get-IPAddress' - - 'Get-LastLoggedOn' - - 'Get-LoggedOnLocal' - - 'Get-NetComputer' # 'Get-NetComputerSiteName' - - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust' - - 'Get-NetFileServer' - - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust' - - 'Get-NetGPO' # 'Get-NetGPOGroup' - #- 'Get-NetGroup' - - 'Get-NetGroupMember' - - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember' - - 'Get-NetLoggedon' - - 'Get-NetOU' - - 'Get-NetProcess' - - 'Get-NetRDPSession' - - 'Get-NetSession' - - 'Get-NetShare' - - 'Get-NetSite' - - 'Get-NetSubnet' - - 'Get-NetUser' - #- 'Get-ObjectAcl' - - 'Get-PathAcl' - - 'Get-PrincipalContext' - #- 'Get-Proxy' - - 'Get-RegistryMountedDrive' - - 'Get-RegLoggedOn' - #- 'Get-SiteName' - #- 'Get-UserEvent' - #- 'Get-WMIProcess' - - 'Get-WMIRegCachedRDPConnection' - - 'Get-WMIRegLastLoggedOn' - - 'Get-WMIRegMountedDrive' - - 'Get-WMIRegProxy' - - 'Invoke-ACLScanner' - - 'Invoke-CheckLocalAdminAccess' - - 'Invoke-Kerberoast' - - 'Invoke-MapDomainTrust' - - 'Invoke-RevertToSelf' - - 'Invoke-Sharefinder' - - 'Invoke-UserImpersonation' - #- 'New-DomainGroup' - #- 'New-DomainUser' - - 'Remove-DomainObjectAcl' - - 'Remove-RemoteConnection' - - 'Request-SPNTicket' - #- 'Resolve-IPAddress' - #- 'Set-ADObject' - - 'Set-DomainObject' - #- 'Set-DomainUserPassword' - - 'Test-AdminAccess' + # - 'Add-DomainGroupMember' + # - 'Add-DomainObjectAcl' + # - 'Add-ObjectAcl' + - 'Add-RemoteConnection' + - 'Convert-ADName' + - 'ConvertFrom-SID' + - 'ConvertFrom-UACValue' + - 'Convert-SidToName' + # - 'ConvertTo-SID' + - 'Export-PowerViewCSV' + # - 'Find-DomainLocalGroupMember' + - 'Find-DomainObjectPropertyOutlier' + - 'Find-DomainProcess' + - 'Find-DomainShare' + - 'Find-DomainUserEvent' + - 'Find-DomainUserLocation' + - 'Find-ForeignGroup' + - 'Find-ForeignUser' + - 'Find-GPOComputerAdmin' + - 'Find-GPOLocation' + - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile' + - 'Find-LocalAdminAccess' + - 'Find-ManagedSecurityGroups' + # - 'Get-ADObject' + - 'Get-CachedRDPConnection' + - 'Get-DFSshare' + # - 'Get-DNSRecord' + # - 'Get-DNSZone' + # - 'Get-Domain' + - 'Get-DomainComputer' + - 'Get-DomainController' + - 'Get-DomainDFSShare' + - 'Get-DomainDNSRecord' + # - 'Get-DomainDNSZone' + - 'Get-DomainFileServer' + - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser' + - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping' + - 'Get-DomainGroup' # 'Get-DomainGroupMember' + - 'Get-DomainGUIDMap' + - 'Get-DomainManagedSecurityGroup' + - 'Get-DomainObject' # 'Get-DomainObjectAcl' + - 'Get-DomainOU' + - 'Get-DomainPolicy' # 'Get-DomainPolicyData' + - 'Get-DomainSID' + - 'Get-DomainSite' + - 'Get-DomainSPNTicket' + - 'Get-DomainSubnet' + - 'Get-DomainTrust' # 'Get-DomainTrustMapping' + # - 'Get-DomainUser' + - 'Get-DomainUserEvent' + # - 'Get-Forest' + - 'Get-ForestDomain' + - 'Get-ForestGlobalCatalog' + - 'Get-ForestTrust' + - 'Get-GptTmpl' + - 'Get-GroupsXML' + # - 'Get-GUIDMap' + # - 'Get-IniContent' + # - 'Get-IPAddress' + - 'Get-LastLoggedOn' + - 'Get-LoggedOnLocal' + - 'Get-NetComputer' # 'Get-NetComputerSiteName' + - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust' + - 'Get-NetFileServer' + - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust' + - 'Get-NetGPO' # 'Get-NetGPOGroup' + # - 'Get-NetGroup' + - 'Get-NetGroupMember' + - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember' + - 'Get-NetLoggedon' + - 'Get-NetOU' + - 'Get-NetProcess' + - 'Get-NetRDPSession' + - 'Get-NetSession' + - 'Get-NetShare' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-NetUser' + # - 'Get-ObjectAcl' + - 'Get-PathAcl' + - 'Get-PrincipalContext' + # - 'Get-Proxy' + - 'Get-RegistryMountedDrive' + - 'Get-RegLoggedOn' + # - 'Get-SiteName' + # - 'Get-UserEvent' + # - 'Get-WMIProcess' + - 'Get-WMIRegCachedRDPConnection' + - 'Get-WMIRegLastLoggedOn' + - 'Get-WMIRegMountedDrive' + - 'Get-WMIRegProxy' + - 'Invoke-ACLScanner' + - 'Invoke-CheckLocalAdminAccess' + - 'Invoke-Kerberoast' + - 'Invoke-MapDomainTrust' + - 'Invoke-RevertToSelf' + - 'Invoke-Sharefinder' + - 'Invoke-UserImpersonation' + # - 'New-DomainGroup' + # - 'New-DomainUser' + - 'Remove-DomainObjectAcl' + - 'Remove-RemoteConnection' + - 'Request-SPNTicket' + # - 'Resolve-IPAddress' + # - 'Set-ADObject' + - 'Set-DomainObject' + # - 'Set-DomainUserPassword' + - 'Test-AdminAccess' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index c11cdc67b..1e2c088a3 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -20,11 +20,11 @@ detection: - OriginalFileName: 'Stracciatella.exe' - Description: 'Stracciatella' - Hashes|contains: - - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' - - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' + - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' + - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' - sha256: - - '9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' - - 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' + - '9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' + - 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 59b80260b..278fcb649 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -19,11 +19,11 @@ detection: Image|endswith: '\SysmonEOP.exe' selection_hash: - Hashes: - - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5' - - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC' + - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5' + - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC' - Imphash: - - '22f4089eb8aba31e1bb162c6d9bf72e5' - - '5123fa4c4384d431cd0d893eeb49bbec' + - '22f4089eb8aba31e1bb162c6d9bf72e5' + - '5123fa4c4384d431cd0d893eeb49bbec' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml index fb06e4b3e..a733da1f1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml @@ -18,17 +18,17 @@ detection: selection_pe: - Product: 'UACMe' - Company: - - 'REvol Corp' - - 'APT 92' - - 'UG North' - - 'Hazardous Environments' - - 'CD Project Rekt' + - 'REvol Corp' + - 'APT 92' + - 'UG North' + - 'Hazardous Environments' + - 'CD Project Rekt' - Description: - - 'UACMe main module' - - 'Pentesting utility' + - 'UACMe main module' + - 'Pentesting utility' - OriginalFileName: - - 'Akagi.exe' - - 'Akagi64.exe' + - 'Akagi.exe' + - 'Akagi64.exe' selection_img: Image|endswith: - '\Akagi64.exe' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml index 434d246f1..4569bad63 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml @@ -17,11 +17,11 @@ logsource: detection: selection_1: - Imphash: - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 + - a53a02b997935fd8eedcb5f7abab9b9f + - e96a73c7bf33a464c510ede582318bf2 - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f - - IMPHASH=e96a73c7bf33a464c510ede582318bf2 + - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f + - IMPHASH=e96a73c7bf33a464c510ede582318bf2 selection_2: CommandLine|endswith: '.exe -S' ParentImage|endswith: '\services.exe' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index cd59fa71b..736eb477d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -20,12 +20,12 @@ detection: selection_img: - OriginalFileName: 'winPEAS.exe' - Image|endswith: - - '\winPEASany.exe' - - '\winPEASany_ofs.exe' - - '\winPEASx64.exe' - - '\winPEASx64_ofs.exe' - - '\winPEASx86.exe' - - '\winPEASx86_ofs.exe' + - '\winPEASany.exe' + - '\winPEASany_ofs.exe' + - '\winPEASx64.exe' + - '\winPEASx64_ofs.exe' + - '\winPEASx86.exe' + - '\winPEASx86_ofs.exe' selection_cli_option: CommandLine|contains: - ' applicationsinfo' # Search installed applications information @@ -39,8 +39,8 @@ detection: selection_cli_dl: CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/' selection_cli_specific: - - ParentCommandLine|endswith: ' -linpeas' - - CommandLine|endswith: ' -linpeas' + - ParentCommandLine|endswith: ' -linpeas' + - CommandLine|endswith: ' -linpeas' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml index 3eb8a7f6b..260e07137 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml @@ -18,10 +18,10 @@ detection: selection: - Image|endswith: '\xordump.exe' - CommandLine|contains: - - ' -process lsass.exe ' - - ' -m comsvcs ' - - ' -m dbghelp ' - - ' -m dbgcore ' + - ' -process lsass.exe ' + - ' -m comsvcs ' + - ' -m dbghelp ' + - ' -m dbgcore ' condition: selection falsepositives: - Another tool that uses the command line switches of XORdump diff --git a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml index cdc837aa2..8a657974a 100644 --- a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml +++ b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml @@ -16,7 +16,7 @@ detection: selection_icacls: - OriginalFileName: 'iCACLS.EXE' - Image|endswith: '\icacls.exe' - selection_cmd: #icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC) + selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC) CommandLine|contains|all: - 'C:\Users\' - '/deny' diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml index 626e4fa9e..41509fdac 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml @@ -25,8 +25,8 @@ detection: Image|endswith: - '\msoasb.exe' - '\rundll32.exe' - #- 'SKYPESERVER.EXE' # Rare comment it out if you experience FP - #- 'MSOUC.EXE' # Rare comment it out if you experience FP + # - 'SKYPESERVER.EXE' # Rare comment it out if you experience FP + # - 'MSOUC.EXE' # Rare comment it out if you experience FP condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml index eb073f271..1640f883c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml @@ -1,4 +1,4 @@ -title: Lolbin Defaultpack.exe Use As Proxy +title: Lolbin Defaultpack.exe Use As Proxy id: b2309017-4235-44fe-b5af-b15363011957 status: experimental description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml index 478c2e272..6578a7752 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml @@ -24,11 +24,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\cscript.exe' - - '\wscript.exe' + - '\cscript.exe' + - '\wscript.exe' - OriginalFileName: - - 'cscript.exe' - - 'wscript.exe' + - 'cscript.exe' + - 'wscript.exe' selection_cli: CommandLine|contains: 'gatherNetworkInfo.vbs' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml index 2c6a9ceeb..00bfdeb26 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml @@ -23,7 +23,7 @@ detection: - '"ms-word' - '.docx"' selection_cli_2: - CommandLine|contains: ' http' #cover http and https + CommandLine|contains: ' http' # Cover http and https condition: selection_img and 1 of selection_cli_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml index 6bdb08912..8ac6873e3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml @@ -19,15 +19,15 @@ logsource: product: windows detection: selection_parent: - #ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R' + # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R' ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe' selection_cli_img: Image|endswith: '\ssh.exe' selection_cli_flags: - CommandLine|contains: 'ProxyCommand=' - CommandLine|contains|all: - - 'PermitLocalCommand' - - 'LocalCommand' + - 'PermitLocalCommand' + - 'LocalCommand' condition: selection_parent or all of selection_cli_* falsepositives: - Legitimate usage for administration purposes diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index b9b003ffc..36ca90da1 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -14,8 +14,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\unregmp2.exe' - - OriginalFileName: 'unregmp2.exe' + - Image|endswith: '\unregmp2.exe' + - OriginalFileName: 'unregmp2.exe' selection_cmd: CommandLine|contains: ' /HideWMP' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml index b64c9dddd..a2562faa0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml @@ -17,11 +17,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\cscript.exe' - - '\wscript.exe' + - '\cscript.exe' + - '\wscript.exe' - OriginalFileName: - - 'cscript.exe' - - 'wscript.exe' + - 'cscript.exe' + - 'wscript.exe' selection_cli: CommandLine|contains: '.vbs -register ' # register_app.vbs condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml index 7fb2f061e..4e66d1338 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml @@ -18,15 +18,15 @@ detection: ParentImage|endswith: '\mmc.exe' selection2: - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\reg.exe' - - '\regsvr32.exe' + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' - Image|contains: '\BITSADMIN' condition: all of selection* fields: diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index 792747907..96b8bf4e1 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -24,19 +24,19 @@ detection: - OriginalFileName: 'mofcomp.exe' selection_case: - ParentImage|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\wsl.exe' - - '\wscript.exe' - - '\cscript.exe' + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wsl.exe' + - '\wscript.exe' + - '\cscript.exe' - CommandLine|contains: - - '\AppData\Local\Temp' - - '\Users\Public\' - - '\WINDOWS\Temp\' - - '%temp%' - - '%tmp%' - - '%appdata%' + - '\AppData\Local\Temp' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - '%temp%' + - '%tmp%' + - '%appdata%' filter_main_wmiprvse: ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe' CommandLine|contains: 'C:\Windows\TEMP\' diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml index 9b46f77b9..bc95ac45d 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml @@ -21,26 +21,26 @@ detection: ParentImage|endswith: '\mshta.exe' selection_child: - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\reg.exe' - - '\regsvr32.exe' - - '\bitsadmin.exe' + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' + - '\bitsadmin.exe' - OriginalFileName: - - 'Cmd.Exe' - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'wscript.exe' - - 'cscript.exe' - - 'Bash.exe' - - 'reg.exe' - - 'REGSVR32.EXE' - - 'bitsadmin.exe' + - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'wscript.exe' + - 'cscript.exe' + - 'Bash.exe' + - 'reg.exe' + - 'REGSVR32.EXE' + - 'bitsadmin.exe' condition: all of selection* falsepositives: - Printer software / driver installations diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml index eb22b8bdd..e50506d33 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -38,16 +38,16 @@ detection: filter_img: # Filter legit Locations - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' # Suspicious extensions - CommandLine|contains: - - '.htm' - - '.hta' + - '.htm' + - '.hta' # Filter simple execution - CommandLine|endswith: - - 'mshta.exe' - - 'mshta' + - 'mshta.exe' + - 'mshta' condition: all of selection_* or (selection_img and not filter_img) falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml index 70fbe5a8d..e2734a46c 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml @@ -28,8 +28,8 @@ detection: filter_vs: - CommandLine|contains: '\DismFoDInstall.cmd' - ParentCommandLine|contains|all: - - '\MsiExec.exe -Embedding ' - - 'Global\MSI0000' + - '\MsiExec.exe -Embedding ' + - 'Global\MSI0000' condition: selection and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 0e26a1b54..a4c50a11c 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -36,7 +36,7 @@ detection: - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" -Y "C:\Windows\CCM\' - - '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution + - '\MsiExec.exe" -Y C:\Windows\CCM\' # also need non-quoted execution condition: selection and not 1 of filter_* falsepositives: - Legitimate script diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 2b3dd6936..fe0f3401e 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -18,11 +18,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_user_option: CommandLine|contains: ' user ' selection_username: diff --git a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index 1692746fd..86e91dce1 100644 --- a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' # Covers group and localgroup flags selection_group_root: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml index 2c711a409..af802b7c9 100644 --- a/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml @@ -16,18 +16,18 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: - CommandLine|endswith: - - ' use' - - ' sessions' + - ' use' + - ' sessions' - CommandLine|contains: - - ' use ' - - ' sessions ' + - ' use ' + - ' sessions ' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml b/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml index 182c19d92..e82b3014e 100644 --- a/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml @@ -17,11 +17,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains: 'view' filter: diff --git a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml index 4bac3edc7..d1622ff5d 100644 --- a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains|all: - 'share' diff --git a/rules/windows/process_creation/proc_creation_win_net_start_service.yml b/rules/windows/process_creation/proc_creation_win_net_start_service.yml index 1a8e2fc20..febcf6739 100644 --- a/rules/windows/process_creation/proc_creation_win_net_start_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_start_service.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml index 53162407f..1699ed5fe 100644 --- a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' selection_cli: CommandLine|contains: ' stop ' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml index 21c91e5b3..02df7717e 100644 --- a/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml @@ -31,11 +31,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains: - ' group' diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml index 1335b8a55..cea23a01c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains|all: - ' use ' diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml index 75aa985a5..181b37f2f 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains|all: - ' use ' diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml index 5de865054..faa499941 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains: - ' use ' diff --git a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml index ebe241db3..3fc1981f4 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -21,11 +21,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains|all: - ' use ' diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add.yml b/rules/windows/process_creation/proc_creation_win_net_user_add.yml index a314aa29c..4aa5c466d 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add.yml @@ -20,11 +20,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains|all: - 'user' diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml index 46eff59d7..ecfc1a481 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' selection_cli: CommandLine|contains|all: - 'user' diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml index a64b68526..0a49e5c26 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml @@ -20,16 +20,16 @@ detection: - OriginalFileName: 'netsh.exe' selection_cli: - CommandLine|contains|all: - - 'firewall' - - 'add' - - 'allowedprogram' + - 'firewall' + - 'add' + - 'allowedprogram' - CommandLine|contains|all: - - 'advfirewall' - - 'firewall' - - 'add' - - 'rule' - - 'action=allow' - - 'program=' + - 'advfirewall' + - 'firewall' + - 'add' + - 'rule' + - 'action=allow' + - 'program=' selection_paths: CommandLine|contains: - '%Public%\' diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml index ac6c47fde..57186fcec 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml @@ -29,9 +29,9 @@ detection: selection_cli_2: - CommandLine|contains: 'portopening' - CommandLine|contains|all: - - 'advfirewall' - - 'rule' - - 'allow' + - 'advfirewall' + - 'rule' + - 'allow' condition: all of selection_* falsepositives: - Legitimate administration activity diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml index 66a6adee2..c246111f6 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml @@ -30,7 +30,7 @@ detection: selection_cli_2: CommandLine|contains|all: # Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1 - - 'i ' # interface + - 'i ' # interface - 'p ' # portproxy - 'a ' # add - 'v ' # v4tov4 diff --git a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml index e2fd9d01b..c7dd0aa6a 100644 --- a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml @@ -22,15 +22,15 @@ detection: - OriginalFileName: 'ntdsutil.exe' selection_cli: - CommandLine|contains|all: - - 'snapshot' - - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit + - 'snapshot' + - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit - CommandLine|contains|all: - # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08 - # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms - # Same case with the "instance" flag - - 'ac' - - ' i' - - ' ntds' + # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08 + # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms + # Same case with the "instance" flag + - 'ac' + - ' i' + - ' ntds' condition: all of selection_* falsepositives: - Legitimate usage to restore snapshots diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index 97903c6cf..8f093751a 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -22,13 +22,13 @@ logsource: detection: selection_img: - Image|endswith: - - '\EXCEL.EXE' - - '\POWERPNT.EXE' - - '\WINWORD.exe' + - '\EXCEL.EXE' + - '\POWERPNT.EXE' + - '\WINWORD.exe' - OriginalFileName: - - 'Excel.exe' - - 'POWERPNT.EXE' - - 'WinWord.exe' + - 'Excel.exe' + - 'POWERPNT.EXE' + - 'WinWord.exe' selection_http: CommandLine|contains: - 'http://' diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index 5dc5b65fc..1c7725f76 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -23,13 +23,13 @@ detection: - '\dopus.exe' selection_img: - Image|endswith: - - '\EXCEL.EXE' - - '\POWERPNT.EXE' - - '\WINWORD.exe' + - '\EXCEL.EXE' + - '\POWERPNT.EXE' + - '\WINWORD.exe' - OriginalFileName: - - 'Excel.exe' - - 'POWERPNT.EXE' - - 'WinWord.exe' + - 'Excel.exe' + - 'POWERPNT.EXE' + - 'WinWord.exe' selection_trusted_location: CommandLine|contains: # Note: these are the default locations. Admins/Users could add additional ones that you need to cover diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index 0201d955f..12421a51a 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -23,75 +23,75 @@ detection: ParentImage|endswith: '\onenote.exe' selection_opt_img: - OriginalFileName: - - 'bitsadmin.exe' - - 'CertOC.exe' - - 'CertUtil.exe' - - 'Cmd.Exe' - - 'CMSTP.EXE' - - 'cscript.exe' - - 'curl.exe' - - 'HH.exe' - - 'IEExec.exe' - - 'InstallUtil.exe' - - 'javaw.exe' - - 'Microsoft.Workflow.Compiler.exe' - - 'msdt.exe' - - 'MSHTA.EXE' - - 'msiexec.exe' - - 'Msxsl.exe' - - 'odbcconf.exe' - - 'pcalua.exe' - - 'PowerShell.EXE' - - 'RegAsm.exe' - - 'RegSvcs.exe' - - 'REGSVR32.exe' - - 'RUNDLL32.exe' - - 'schtasks.exe' - - 'ScriptRunner.exe' - - 'wmic.exe' - - 'WorkFolders.exe' - - 'wscript.exe' + - 'bitsadmin.exe' + - 'CertOC.exe' + - 'CertUtil.exe' + - 'Cmd.Exe' + - 'CMSTP.EXE' + - 'cscript.exe' + - 'curl.exe' + - 'HH.exe' + - 'IEExec.exe' + - 'InstallUtil.exe' + - 'javaw.exe' + - 'Microsoft.Workflow.Compiler.exe' + - 'msdt.exe' + - 'MSHTA.EXE' + - 'msiexec.exe' + - 'Msxsl.exe' + - 'odbcconf.exe' + - 'pcalua.exe' + - 'PowerShell.EXE' + - 'RegAsm.exe' + - 'RegSvcs.exe' + - 'REGSVR32.exe' + - 'RUNDLL32.exe' + - 'schtasks.exe' + - 'ScriptRunner.exe' + - 'wmic.exe' + - 'WorkFolders.exe' + - 'wscript.exe' - Image|endswith: - - '\AppVLP.exe' - - '\bash.exe' - - '\bitsadmin.exe' - - '\certoc.exe' - - '\certutil.exe' - - '\cmd.exe' - - '\cmstp.exe' - - '\control.exe' - - '\cscript.exe' - - '\curl.exe' - - '\forfiles.exe' - - '\hh.exe' - - '\ieexec.exe' - - '\installutil.exe' - - '\javaw.exe' - - '\mftrace.exe' - - '\Microsoft.Workflow.Compiler.exe' - - '\msbuild.exe' - - '\msdt.exe' - - '\mshta.exe' - - '\msidb.exe' - - '\msiexec.exe' - - '\msxsl.exe' - - '\odbcconf.exe' - - '\pcalua.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regasm.exe' - - '\regsvcs.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\schtasks.exe' - - '\scrcons.exe' - - '\scriptrunner.exe' - - '\sh.exe' - - '\svchost.exe' - - '\verclsid.exe' - - '\wmic.exe' - - '\workfolders.exe' - - '\wscript.exe' + - '\AppVLP.exe' + - '\bash.exe' + - '\bitsadmin.exe' + - '\certoc.exe' + - '\certutil.exe' + - '\cmd.exe' + - '\cmstp.exe' + - '\control.exe' + - '\cscript.exe' + - '\curl.exe' + - '\forfiles.exe' + - '\hh.exe' + - '\ieexec.exe' + - '\installutil.exe' + - '\javaw.exe' + - '\mftrace.exe' + - '\Microsoft.Workflow.Compiler.exe' + - '\msbuild.exe' + - '\msdt.exe' + - '\mshta.exe' + - '\msidb.exe' + - '\msiexec.exe' + - '\msxsl.exe' + - '\odbcconf.exe' + - '\pcalua.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regasm.exe' + - '\regsvcs.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\schtasks.exe' + - '\scrcons.exe' + - '\scriptrunner.exe' + - '\sh.exe' + - '\svchost.exe' + - '\verclsid.exe' + - '\wmic.exe' + - '\workfolders.exe' + - '\wscript.exe' selection_opt_explorer: Image|endswith: '\explorer.exe' CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml index f7c267d6f..efacc94fc 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml @@ -46,17 +46,17 @@ detection: - '\wscript.exe' # Several FPs with rundll32.exe # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely - #- '\rundll32.exe' - #filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568 - # ParentImage|endswith: '\OUTLOOK.EXE' - # Image|endswith: '\rundll32.exe' - # CommandLine|contains: '\PhotoViewer.dll' - #filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696 - # ParentImage|endswith: '\OUTLOOK.EXE' - # Image|endswith: '\rundll32.exe' - # CommandLine|contains|all: - # - 'shell32.dll,Control_RunDLL' - # - '\SYSTEM32\SPOOL\DRIVERS\' + # - '\rundll32.exe' + # filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568 + # ParentImage|endswith: '\OUTLOOK.EXE' + # Image|endswith: '\rundll32.exe' + # CommandLine|contains: '\PhotoViewer.dll' + # filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696 + # ParentImage|endswith: '\OUTLOOK.EXE' + # Image|endswith: '\rundll32.exe' + # CommandLine|contains|all: + # - 'shell32.dll,Control_RunDLL' + # - '\SYSTEM32\SPOOL\DRIVERS\' condition: selection # and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml index 331db5961..abafb2abb 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml @@ -1,4 +1,4 @@ -title: Suspicious Remote Child Process From Outlook +title: Suspicious Remote Child Process From Outlook id: e212d415-0e93-435f-9e1a-f29005bb4723 related: - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes diff --git a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml index f814eece2..d9db7943d 100644 --- a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml @@ -52,75 +52,75 @@ detection: - '\wordview.exe' selection_child_processes: - OriginalFileName: - - 'bitsadmin.exe' - - 'CertOC.exe' - - 'CertUtil.exe' - - 'Cmd.Exe' - - 'CMSTP.EXE' - - 'cscript.exe' - - 'curl.exe' - - 'HH.exe' - - 'IEExec.exe' - - 'InstallUtil.exe' - - 'javaw.exe' - - 'Microsoft.Workflow.Compiler.exe' - - 'msdt.exe' - - 'MSHTA.EXE' - - 'msiexec.exe' - - 'Msxsl.exe' - - 'odbcconf.exe' - - 'pcalua.exe' - - 'PowerShell.EXE' - - 'RegAsm.exe' - - 'RegSvcs.exe' - - 'REGSVR32.exe' - - 'RUNDLL32.exe' - - 'schtasks.exe' - - 'ScriptRunner.exe' - - 'wmic.exe' - - 'WorkFolders.exe' - - 'wscript.exe' + - 'bitsadmin.exe' + - 'CertOC.exe' + - 'CertUtil.exe' + - 'Cmd.Exe' + - 'CMSTP.EXE' + - 'cscript.exe' + - 'curl.exe' + - 'HH.exe' + - 'IEExec.exe' + - 'InstallUtil.exe' + - 'javaw.exe' + - 'Microsoft.Workflow.Compiler.exe' + - 'msdt.exe' + - 'MSHTA.EXE' + - 'msiexec.exe' + - 'Msxsl.exe' + - 'odbcconf.exe' + - 'pcalua.exe' + - 'PowerShell.EXE' + - 'RegAsm.exe' + - 'RegSvcs.exe' + - 'REGSVR32.exe' + - 'RUNDLL32.exe' + - 'schtasks.exe' + - 'ScriptRunner.exe' + - 'wmic.exe' + - 'WorkFolders.exe' + - 'wscript.exe' - Image|endswith: - - '\AppVLP.exe' - - '\bash.exe' - - '\bitsadmin.exe' - - '\certoc.exe' - - '\certutil.exe' - - '\cmd.exe' - - '\cmstp.exe' - - '\control.exe' - - '\cscript.exe' - - '\curl.exe' - - '\forfiles.exe' - - '\hh.exe' - - '\ieexec.exe' - - '\installutil.exe' - - '\javaw.exe' - - '\mftrace.exe' - - '\Microsoft.Workflow.Compiler.exe' - - '\msbuild.exe' - - '\msdt.exe' - - '\mshta.exe' - - '\msidb.exe' - - '\msiexec.exe' - - '\msxsl.exe' - - '\odbcconf.exe' - - '\pcalua.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regasm.exe' - - '\regsvcs.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\schtasks.exe' - - '\scrcons.exe' - - '\scriptrunner.exe' - - '\sh.exe' - - '\svchost.exe' - - '\verclsid.exe' - - '\wmic.exe' - - '\workfolders.exe' - - '\wscript.exe' + - '\AppVLP.exe' + - '\bash.exe' + - '\bitsadmin.exe' + - '\certoc.exe' + - '\certutil.exe' + - '\cmd.exe' + - '\cmstp.exe' + - '\control.exe' + - '\cscript.exe' + - '\curl.exe' + - '\forfiles.exe' + - '\hh.exe' + - '\ieexec.exe' + - '\installutil.exe' + - '\javaw.exe' + - '\mftrace.exe' + - '\Microsoft.Workflow.Compiler.exe' + - '\msbuild.exe' + - '\msdt.exe' + - '\mshta.exe' + - '\msidb.exe' + - '\msiexec.exe' + - '\msxsl.exe' + - '\odbcconf.exe' + - '\pcalua.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regasm.exe' + - '\regsvcs.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\schtasks.exe' + - '\scrcons.exe' + - '\scriptrunner.exe' + - '\sh.exe' + - '\svchost.exe' + - '\verclsid.exe' + - '\wmic.exe' + - '\workfolders.exe' + - '\wscript.exe' selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142) Image|contains: - '\AppData\' diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index 2a43a4588..115ec6be2 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -20,35 +20,35 @@ detection: selection_susp: # Improve this section by adding other suspicious processes, commandlines or paths - Image|endswith: - # If you use any of the following processes legitimately comment them out - - '\wscript.exe' - - '\cscript.exe' - - '\rundll32.exe' - - '\regsvr32.exe' - - '\wmic.exe' - - '\msiexec.exe' - - '\mshta.exe' - - '\csc.exe' - - '\dllhost.exe' - - '\certutil.exe' - - '\scriptrunner.exe' - - '\bash.exe' - - '\wsl.exe' + # If you use any of the following processes legitimately comment them out + - '\wscript.exe' + - '\cscript.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\msiexec.exe' + - '\mshta.exe' + - '\csc.exe' + - '\dllhost.exe' + - '\certutil.exe' + - '\scriptrunner.exe' + - '\bash.exe' + - '\wsl.exe' - Image|contains: - - 'C:\Users\Public\' - - 'C:\ProgramData\' - - 'C:\Windows\TEMP\' - - '\AppData\Local\Temp' + - 'C:\Users\Public\' + - 'C:\ProgramData\' + - 'C:\Windows\TEMP\' + - '\AppData\Local\Temp' - CommandLine|contains: - - 'iex ' - - 'Invoke-' - - 'DownloadString' - - 'http' - - ' -enc ' - - ' -encodedcommand ' - - 'FromBase64String' - - ' -decode ' - - ' -w hidden' + - 'iex ' + - 'Invoke-' + - 'DownloadString' + - 'http' + - ' -enc ' + - ' -encodedcommand ' + - 'FromBase64String' + - ' -decode ' + - ' -w hidden' condition: all of selection_* falsepositives: - Legitimate use of the PDQDeploy tool to execute these commands diff --git a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml index c17114f18..76ac60074 100644 --- a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml @@ -19,15 +19,15 @@ detection: selection_standby: # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK - CommandLine|contains|all: - - '/setacvalueindex ' - - 'SCHEME_CURRENT' - - 'SUB_VIDEO' - - 'VIDEOCONLOCK' + - '/setacvalueindex ' + - 'SCHEME_CURRENT' + - 'SUB_VIDEO' + - 'VIDEOCONLOCK' # powercfg -change -standby-timeout-dc 3000 # powercfg -change -standby-timeout-ac 3000 - CommandLine|contains|all: - - '-change ' - - '-standby-timeout-' + - '-change ' + - '-standby-timeout-' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 9dccebba6..796d5fe48 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -22,11 +22,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.Exe' - - 'pwsh.dll' + - 'PowerShell.Exe' + - 'pwsh.dll' selection_cli: CommandLine|contains: # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above diff --git a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index 96f4cef5a..a0fe35c9f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -23,11 +23,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cmdlet: CommandLine|contains: - 'Import-Module ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml index db7c7fa5d..7767ae283 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cmdlet: CommandLine|contains: 'Add-WindowsCapability' selection_capa: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml index 0e988b879..2f7e7e858 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli_enc: CommandLine|contains: ' -e' # covers -en and -enc selection_cli_content: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index 1d07b99ae..000c2b023 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -20,9 +20,9 @@ detection: - CommandLine|base64offset|contains: '::FromBase64String' # UTF-16 LE - CommandLine|contains: - - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA' - - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA' - - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw' + - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA' + - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA' + - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml index 36fc922c2..98d0a5b69 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml @@ -16,30 +16,30 @@ logsource: detection: selection: - CommandLine|base64offset|contains: - - 'IEX ([' - - 'iex ([' - - 'iex (New' - - 'IEX (New' - - 'IEX([' - - 'iex([' - - 'iex(New' - - 'IEX(New' - - "IEX(('" - - "iex(('" + - 'IEX ([' + - 'iex ([' + - 'iex (New' + - 'IEX (New' + - 'IEX([' + - 'iex([' + - 'iex(New' + - 'IEX(New' + - "IEX(('" + - "iex(('" # UTF16 LE - CommandLine|contains: - - 'SQBFAFgAIAAoAFsA' - - 'kARQBYACAAKABbA' - - 'JAEUAWAAgACgAWw' - - 'aQBlAHgAIAAoAFsA' - - 'kAZQB4ACAAKABbA' - - 'pAGUAeAAgACgAWw' - - 'aQBlAHgAIAAoAE4AZQB3A' - - 'kAZQB4ACAAKABOAGUAdw' - - 'pAGUAeAAgACgATgBlAHcA' - - 'SQBFAFgAIAAoAE4AZQB3A' - - 'kARQBYACAAKABOAGUAdw' - - 'JAEUAWAAgACgATgBlAHcA' + - 'SQBFAFgAIAAoAFsA' + - 'kARQBYACAAKABbA' + - 'JAEUAWAAgACgAWw' + - 'aQBlAHgAIAAoAFsA' + - 'kAZQB4ACAAKABbA' + - 'pAGUAeAAgACgAWw' + - 'aQBlAHgAIAAoAE4AZQB3A' + - 'kAZQB4ACAAKABOAGUAdw' + - 'pAGUAeAAgACgATgBlAHcA' + - 'SQBFAFgAIAAoAE4AZQB3A' + - 'kARQBYACAAKABOAGUAdw' + - 'JAEUAWAAgACgATgBlAHcA' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml index a63db9670..510a718c9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -21,11 +21,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli_enc: CommandLine|contains: ' -e' selection_cli_invoke: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 8389cc06b..6c0c14778 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -18,24 +18,24 @@ logsource: detection: selection: - CommandLine|base64offset|contains: - - 'Add-MpPreference ' - - 'Set-MpPreference ' - - 'add-mppreference ' - - 'set-mppreference ' + - 'Add-MpPreference ' + - 'Set-MpPreference ' + - 'add-mppreference ' + - 'set-mppreference ' - CommandLine|contains: - # UTF16-LE - - 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA' - - 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA' - - 'BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA' - - 'UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA' - - 'MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA' - - 'TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA' - - 'YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA' - - 'EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA' - - 'hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA' - - 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA' - - 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA' - - 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA' + # UTF16-LE + - 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA' + - 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA' + - 'BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA' + - 'UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA' + - 'MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA' + - 'TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA' + - 'YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA' + - 'EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA' + - 'hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA' + - 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA' + - 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA' + - 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 9d7dfd871..21f19606f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -20,11 +20,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli_shadowcopy: # Win32_Shadowcopy CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml index 35b32f736..38cfa229a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli: CommandLine|contains: 'ConvertTo-SecureString' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index afe21a9de..2e58e722c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli: CommandLine|contains: - 'hctac' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 10edeb555..82422dacd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -18,11 +18,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_re: # TODO: Optimize for PySIGMA - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml b/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml index 427e36ead..621e908a0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml @@ -21,11 +21,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli: CommandLine|contains|all: - 'Get-ADComputer ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml index fb944f41e..2f8e0938d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml @@ -18,11 +18,11 @@ logsource: detection: selection_pwsh_binary: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_pwsh_cli: CommandLine|contains: - '-DisableBehaviorMonitoring $true' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index 97ae87718..b8d1e8ddc 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -19,12 +19,12 @@ logsource: detection: selection_name: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\powershell_ise.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_args: CommandLine|contains|all: - 'Set-NetFirewallProfile ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml index 374d8721f..95f98d3a9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml @@ -16,15 +16,15 @@ logsource: detection: selection_img: - Image|endswith: - - '\rundll32.exe' - - '\regsvcs.exe' - - '\InstallUtil.exe' - - '\regasm.exe' + - '\rundll32.exe' + - '\regsvcs.exe' + - '\InstallUtil.exe' + - '\regasm.exe' - OriginalFileName: - - 'RUNDLL32.EXE' - - 'RegSvcs.exe' - - 'InstallUtil.exe' - - 'RegAsm.exe' + - 'RUNDLL32.EXE' + - 'RegSvcs.exe' + - 'InstallUtil.exe' + - 'RegAsm.exe' selection_cli: CommandLine|contains: - 'Default.GetString' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml index 816c457b4..bc0c57874 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -20,7 +20,7 @@ detection: selection_1: CommandLine|contains: '[Type]::GetTypeFromCLSID(' selection_2: - CommandLine|contains: + CommandLine|contains: - '0002DF01-0000-0000-C000-000000000046' - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4' - 'F5078F35-C551-11D3-89B9-0000F81FE221' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml index fd6e4d62c..12631131e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -17,11 +17,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli: CommandLine|contains|all: - 'new-object' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml index 1ffc21899..73899bb5f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.Exe' - - 'pwsh.dll' + - 'PowerShell.Exe' + - 'pwsh.dll' selection_flags: CommandLine|contains: - ' -e ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml index e6e143824..f50886c9c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml @@ -21,11 +21,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_to_1: CommandLine|contains: - 'ToInt' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml index 0283ce54a..6d774ea98 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_hidden: CommandLine|contains: ' hidden ' selection_encoded: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 0cf0d0e91..7ec726db5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cmdlet: CommandLine|contains: - 'Add-AppPackage ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 2b7c89e89..96e512c03 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -15,11 +15,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_commands: CommandLine|contains: # These are all aliases of Invoke-WebRequest diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index ebfd64211..bf6cc03c8 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -19,11 +19,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_commands: CommandLine|contains: # These are all aliases of Invoke-WebRequest diff --git a/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml index 5f4691ba7..4920282f6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml @@ -16,11 +16,11 @@ logsource: detection: selection: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' filter_main_generic: ParentImage|endswith: - ':\Windows\explorer.exe' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index 62a9d9264..4c0913b5c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -18,11 +18,11 @@ logsource: detection: selection_img: - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' selection_cli: CommandLine|contains|all: - ' Net.Sockets.TCPClient' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml index ae368d748..515cc7f05 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml @@ -22,11 +22,11 @@ logsource: detection: selection_img: - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' selection_cmdlet: CommandLine|contains|all: - 'Set-Acl ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml index 18ee7b148..7d1ea1f8b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -22,11 +22,11 @@ logsource: detection: selection_img: - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' selection_cmdlet: CommandLine|contains|all: - 'Set-Acl ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index 0153860ee..64c0f98a2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -20,11 +20,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli: CommandLine|contains: 'Add-PSSnapin' selection_module: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml index 8d319f1ee..092927487 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml @@ -16,11 +16,11 @@ logsource: detection: selection_sc_net_img: - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' selection_cli: CommandLine|contains: 'Stop-Service ' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml index 65248da63..a11fa914f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml @@ -20,41 +20,41 @@ detection: selection_parent: - ParentImage|contains: 'tomcat' - ParentImage|endswith: - - '\amigo.exe' - - '\browser.exe' - - '\chrome.exe' - - '\firefox.exe' - - '\httpd.exe' - - '\iexplore.exe' - - '\jbosssvc.exe' - - '\microsoftedge.exe' - - '\microsoftedgecp.exe' - - '\MicrosoftEdgeSH.exe' - - '\mshta.exe' - - '\nginx.exe' - - '\outlook.exe' - - '\php-cgi.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\safari.exe' - - '\services.exe' - - '\sqlagent.exe' - - '\sqlserver.exe' - - '\sqlservr.exe' - - '\vivaldi.exe' - - '\w3wp.exe' + - '\amigo.exe' + - '\browser.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\httpd.exe' + - '\iexplore.exe' + - '\jbosssvc.exe' + - '\microsoftedge.exe' + - '\microsoftedgecp.exe' + - '\MicrosoftEdgeSH.exe' + - '\mshta.exe' + - '\nginx.exe' + - '\outlook.exe' + - '\php-cgi.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\safari.exe' + - '\services.exe' + - '\sqlagent.exe' + - '\sqlserver.exe' + - '\sqlservr.exe' + - '\vivaldi.exe' + - '\w3wp.exe' selection_powershell: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - CommandLine|contains: - - '/c powershell' # FPs with sub processes that contained "powershell" somewhere in the command line - - '/c pwsh' + - '/c powershell' # FPs with sub processes that contained "powershell" somewhere in the command line + - '/c pwsh' - Description: 'Windows PowerShell' - Product: 'PowerShell Core 6' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' condition: all of selection_* falsepositives: - Other scripts diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index af2e71298..89c496f85 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -24,7 +24,7 @@ detection: # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString # ${e`Nv:pATh} - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]' - #- CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme + # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - CommandLine|re: '"(\{\d\})+"\s*-f' - CommandLine|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml index 4ff5f7fca..c606d36f7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml @@ -20,11 +20,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_cli: CommandLine|contains|all: - 'Get-ADUser ' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml index 5fdc0c8b1..4523382b2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -16,11 +16,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_encoded: CommandLine|contains: - 'TgBlAFQALgB3AEUAQg' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index e93a4ca77..8932afd0c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -25,11 +25,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' - Description: 'Windows PowerShell' - Product: 'PowerShell Core 6' selection_cli_xor: diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index c9732a038..b0307ffde 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -26,24 +26,24 @@ detection: filter_main_covered_children: # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd - Image|endswith: - - '\calc.exe' - - '\cmd.exe' - - '\cscript.exe' - - '\mshta.exe' - - '\notepad.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\calc.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - Image|contains: - - ':\PerfLogs\' - - ':\Temp\' - - ':\Users\Public\' - - '\AppData\Temp\' - - '\Windows\System32\Tasks\' - - '\Windows\Tasks\' - - '\Windows\Temp\' + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\AppData\Temp\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' + - '\Windows\Temp\' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index 69c18763e..b0d6a0d3e 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -25,24 +25,24 @@ detection: ParentImage|endswith: '\provlaunch.exe' selection_child: - Image|endswith: - - '\calc.exe' - - '\cmd.exe' - - '\cscript.exe' - - '\mshta.exe' - - '\notepad.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\calc.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - Image|contains: - - ':\PerfLogs\' - - ':\Temp\' - - ':\Users\Public\' - - '\AppData\Temp\' - - '\Windows\System32\Tasks\' - - '\Windows\Tasks\' - - '\Windows\Temp\' + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\AppData\Temp\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' + - '\Windows\Temp\' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index 495145207..46de677f3 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -27,12 +27,12 @@ detection: selection: - OriginalFileName: 'AdvancedRun.exe' - CommandLine|contains|all: - - ' /EXEFilename ' - - ' /Run' + - ' /EXEFilename ' + - ' /Run' - CommandLine|contains|all: - - ' /WindowState 0' - - ' /RunAs ' - - ' /CommandLine ' + - ' /WindowState 0' + - ' /RunAs ' + - ' /CommandLine ' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index db0eda6db..aa7251a2f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -27,15 +27,15 @@ detection: - '/CommandLine' selection_runas: - CommandLine|contains: - - ' /RunAs 8 ' - - ' /RunAs 4 ' - - ' /RunAs 10 ' - - ' /RunAs 11 ' + - ' /RunAs 8 ' + - ' /RunAs 4 ' + - ' /RunAs 10 ' + - ' /RunAs 11 ' - CommandLine|endswith: - - '/RunAs 8' - - '/RunAs 4' - - '/RunAs 10' - - '/RunAs 11' + - '/RunAs 8' + - '/RunAs 4' + - '/RunAs 10' + - '/RunAs 11' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index a98e5fe70..9426e44bc 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -24,9 +24,9 @@ detection: selection_hashes: # v0.44.0 - Hashes|contains: - - "MD5=7D9C233B8C9E3F0EA290D2B84593C842" - - "SHA1=06DDC9280E1F1810677935A2477012960905942F" - - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C" + - "MD5=7D9C233B8C9E3F0EA290D2B84593C842" + - "SHA1=06DDC9280E1F1810677935A2477012960905942F" + - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C" - md5: '7d9c233b8c9e3f0ea290d2b84593c842' - sha1: '06ddc9280e1f1810677935a2477012960905942f' - sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c' diff --git a/rules/windows/process_creation/proc_creation_win_pua_iox.yml b/rules/windows/process_creation/proc_creation_win_pua_iox.yml index f16e0cb09..72972052e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_iox.yml @@ -25,9 +25,9 @@ detection: selection_hashes: # v0.4 - Hashes|contains: - - "MD5=9DB2D314DD3F704A02051EF5EA210993" - - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD" - - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731" + - "MD5=9DB2D314DD3F704A02051EF5EA210993" + - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD" + - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731" - md5: '9db2d314dd3f704a02051ef5ea210993' - sha1: '039130337e28a6623ecf9a0a3da7d92c5964d8dd' - sha256: 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731' diff --git a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml index b91798f7a..5fc57befa 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml @@ -30,7 +30,7 @@ detection: - ' -l -v -p ' - ' -lv -p ' - ' -l --proxy-type http ' - #- ' --exec cmd.exe ' # Not specific enough for netcat + # - ' --exec cmd.exe ' # Not specific enough for netcat - ' -vnl --exec ' - ' -vnl -e ' - ' --lua-exec ' diff --git a/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml index 78593fc5d..34b9d7762 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml @@ -17,11 +17,11 @@ logsource: detection: selection: - Image|endswith: - - '\nmap.exe' - - '\zennmap.exe' + - '\nmap.exe' + - '\zennmap.exe' - OriginalFileName: - - 'nmap.exe' - - 'zennmap.exe' + - 'nmap.exe' + - 'zennmap.exe' condition: selection falsepositives: - Network administrator computer diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index 40c3bd77f..1e2bad0cc 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -26,9 +26,9 @@ detection: selection_hashes: # v0.26.10 - Hashes|contains: - - "MD5=AE8ACF66BFE3A44148964048B826D005" - - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" - - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856" + - "MD5=AE8ACF66BFE3A44148964048B826D005" + - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" + - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856" - md5: 'ae8acf66bfe3a44148964048b826d005' - sha1: 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' - sha256: '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856' diff --git a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml index 0b0b08f81..8caff78c9 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml @@ -18,13 +18,13 @@ logsource: detection: selection_img: - Image|endswith: - - '\NSudo.exe' - - '\NSudoLC.exe' - - '\NSudoLG.exe' + - '\NSudo.exe' + - '\NSudoLC.exe' + - '\NSudoLG.exe' - OriginalFileName: - - 'NSudo.exe' - - 'NSudoLC.exe' - - 'NSudoLG.exe' + - 'NSudo.exe' + - 'NSudoLC.exe' + - 'NSudoLG.exe' selection_cli: CommandLine|contains: # Covers Single/Double dash "-"/"--" + ":" diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index bcbe37797..be5017f75 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -27,8 +27,8 @@ detection: - Image|contains: '\ProcessHacker_' - Image|endswith: '\ProcessHacker.exe' - OriginalFileName: - - 'ProcessHacker.exe' - - 'Process Hacker' + - 'ProcessHacker.exe' + - 'Process Hacker' - Description: 'Process Hacker' - Product: 'Process Hacker' selection_hashes: @@ -43,17 +43,17 @@ detection: - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF' selection_hash_values: - md5: - - '68f9b52895f4d34e74112f3129b3b00d' - - 'b365af317ae730a67c936f21432b9c71' + - '68f9b52895f4d34e74112f3129b3b00d' + - 'b365af317ae730a67c936f21432b9c71' - sha1: - - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' - - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' + - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' + - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' - sha256: - - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f' - - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4' + - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f' + - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4' - Imphash: - - '04de0ad9c37eb7bd52043d2ecac958df' - - '3695333c60dedecdcaff1590409aa462' + - '04de0ad9c37eb7bd52043d2ecac958df' + - '3695333c60dedecdcaff1590409aa462' condition: 1 of selection_* falsepositives: - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis diff --git a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml index 304c099c5..3978ecc24 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -21,8 +21,8 @@ logsource: detection: selection_img: - Image|endswith: - - '\rcedit-x64.exe' - - '\rcedit-x86.exe' + - '\rcedit-x64.exe' + - '\rcedit-x86.exe' - Description: 'Edit resources of exe' - Product: 'rcedit' selection_flags: diff --git a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml index bd22c91ca..6432783ae 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml @@ -22,23 +22,23 @@ detection: - OriginalFileName: 'Seatbelt.exe' - Description: 'Seatbelt' - CommandLine|contains: - # This just a list of the commands that will produce the least amount of FP in "theory" - # Comment out/in as needed in your environment - # To get the full list of commands see reference section - - ' DpapiMasterKeys' - - ' InterestingProcesses' - - ' InterestingFiles' - - ' CertificateThumbprints' - - ' ChromiumBookmarks' - - ' ChromiumHistory' - - ' ChromiumPresence' - - ' CloudCredentials' - - ' CredEnum' - - ' CredGuard' - - ' FirefoxHistory' - - ' ProcessCreationEvents' - #- ' RDPSessions' - #- ' PowerShellHistory' + # This just a list of the commands that will produce the least amount of FP in "theory" + # Comment out/in as needed in your environment + # To get the full list of commands see reference section + - ' DpapiMasterKeys' + - ' InterestingProcesses' + - ' InterestingFiles' + - ' CertificateThumbprints' + - ' ChromiumBookmarks' + - ' ChromiumHistory' + - ' ChromiumPresence' + - ' CloudCredentials' + - ' CredEnum' + - ' CredGuard' + - ' FirefoxHistory' + - ' ProcessCreationEvents' + # - ' RDPSessions' + # - ' PowerShellHistory' selection_group_list: CommandLine|contains: - ' -group=misc' diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index e7fe73930..ebe83fdc6 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -11,7 +11,7 @@ author: Florian Roth (Nextron Systems) date: 2023/05/08 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege_escalation - attack.discovery - attack.defense_evasion - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index 8246a8140..799db7a3c 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -19,9 +19,9 @@ detection: selection_img: - OriginalFileName: 'python.exe' - Image|endswith: - - 'python.exe' # no \ bc of e.g. ipython.exe - - 'python3.exe' - - 'python2.exe' + - 'python.exe' # no \ bc of e.g. ipython.exe + - 'python3.exe' + - 'python2.exe' selection_cli: CommandLine|contains: ' -c' filter_python: # Based on baseline diff --git a/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml index ccf57524f..75cb8e25d 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml @@ -26,11 +26,11 @@ detection: - '/s' hive: - CommandLine|contains|all: - - '/f ' - - 'HKLM' + - '/f ' + - 'HKLM' - CommandLine|contains|all: - - '/f ' - - 'HKCU' + - '/f ' + - 'HKCU' - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions' condition: reg and hive falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml b/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml index 43fd9e12f..47394ec8c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml @@ -7,7 +7,7 @@ status: test description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna + - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 modified: 2022/10/09 diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index 102cb30dc..ca933be83 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -63,5 +63,3 @@ detection: falsepositives: - Rare legitimate use by administrators to test software (should always be investigated) level: high - - \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml index f46b5b247..20f82536a 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml @@ -18,11 +18,11 @@ logsource: detection: selection_img: - Image|endswith: - - '\Regsvcs.exe' - - '\Regasm.exe' + - '\Regsvcs.exe' + - '\Regasm.exe' - OriginalFileName: - - 'RegSvcs.exe' - - 'RegAsm.exe' + - 'RegSvcs.exe' + - 'RegAsm.exe' selection_dir: CommandLine|contains: # Add more suspicious directories diff --git a/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml index a6e63be09..30fd5338f 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml @@ -20,7 +20,7 @@ logsource: detection: selection_img: - Image|endswith: '\regedit.exe' - - OriginalFileName: 'REGEDIT.EXE' + - OriginalFileName: 'REGEDIT.EXE' selection_cli: CommandLine|contains: - ' /E ' diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml index 6f565560b..3a5296a2b 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml @@ -20,7 +20,7 @@ logsource: detection: selection_img: - Image|endswith: '\regedit.exe' - - OriginalFileName: 'REGEDIT.EXE' + - OriginalFileName: 'REGEDIT.EXE' selection_cli: CommandLine|contains: - ' /i ' diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml index fb13ef2fa..e17f2f976 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -20,7 +20,7 @@ logsource: detection: selection_img: - Image|endswith: '\regedit.exe' - - OriginalFileName: 'REGEDIT.EXE' + - OriginalFileName: 'REGEDIT.EXE' selection_cli: CommandLine|contains: - ' /i ' diff --git a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml index 2f01ac540..59033fddc 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -22,12 +22,12 @@ detection: CommandLine|contains|all: - '\System\CurrentControlSet\Services\' - '\NetworkProvider' - #filter: - # CommandLine|contains: - # - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' - # - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' - # - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' - # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV + # filter: + # CommandLine|contains: + # - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' + # - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' + # - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' + # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV condition: selection falsepositives: - Other legitimate network providers used and not filtred in this rule diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index 888ca8f76..aea1ed06c 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -15,8 +15,8 @@ logsource: detection: selection: - Image|endswith: - - '\rutserv.exe' - - '\rfusclient.exe' + - '\rutserv.exe' + - '\rfusclient.exe' - Product: 'Remote Utilities' filter: Image|startswith: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml index 56293a027..32f9cacad 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml @@ -45,11 +45,11 @@ detection: - 'computers_pwdnotreqd' selection_2: - Imphash: - - bca5675746d13a1f246e2da3c2217492 - - 53e117a96057eaf19c41380d0e87f1c2 + - bca5675746d13a1f246e2da3c2217492 + - 53e117a96057eaf19c41380d0e87f1c2 - Hashes|contains: - - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492' - - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2' + - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492' + - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2' selection_3: OriginalFileName: 'AdFind.exe' filter: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml index d20bd4bce..e068c073e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml @@ -17,21 +17,21 @@ detection: - Product|contains: 'AutoHotkey' - Description|contains: 'AutoHotkey' - OriginalFileName: - - 'AutoHotkey.exe' - - 'AutoHotkey.rc' + - 'AutoHotkey.exe' + - 'AutoHotkey.rc' filter: - Image|endswith: - - '\AutoHotkey.exe' - - '\AutoHotkey32.exe' - - '\AutoHotkey32_UIA.exe' - - '\AutoHotkey64.exe' - - '\AutoHotkey64_UIA.exe' - - '\AutoHotkeyA32.exe' - - '\AutoHotkeyA32_UIA.exe' - - '\AutoHotkeyU32.exe' - - '\AutoHotkeyU32_UIA.exe' - - '\AutoHotkeyU64.exe' - - '\AutoHotkeyU64_UIA.exe' + - '\AutoHotkey.exe' + - '\AutoHotkey32.exe' + - '\AutoHotkey32_UIA.exe' + - '\AutoHotkey64.exe' + - '\AutoHotkey64_UIA.exe' + - '\AutoHotkeyA32.exe' + - '\AutoHotkeyA32_UIA.exe' + - '\AutoHotkeyU32.exe' + - '\AutoHotkeyU32_UIA.exe' + - '\AutoHotkeyU64.exe' + - '\AutoHotkeyU64_UIA.exe' - Image|contains: '\AutoHotkey' condition: selection and not filter falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 2a073bdf8..1e509d401 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -24,13 +24,13 @@ detection: - ' /ErrorStdOut' selection_2: - Imphash: - - 'fdc554b3a8683918d731685855683ddf' # AutoIt v2 - doesn't cover all binaries - - 'cd30a61b60b3d60cecdb034c8c83c290' # AutoIt v2 - doesn't cover all binaries - - 'f8a00c72f2d667d2edbb234d0c0ae000' # AutoIt v3 - doesn't cover all binaries + - 'fdc554b3a8683918d731685855683ddf' # AutoIt v2 - doesn't cover all binaries + - 'cd30a61b60b3d60cecdb034c8c83c290' # AutoIt v2 - doesn't cover all binaries + - 'f8a00c72f2d667d2edbb234d0c0ae000' # AutoIt v3 - doesn't cover all binaries - Hashes|contains: - - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries - - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries - - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries + - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries + - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries + - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries selection_3: OriginalFileName: - 'AutoIt3.exe' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index 2c80268f9..a6b3309b9 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -34,26 +34,26 @@ detection: - Description: 'Execute processes remotely' - Product: 'Sysinternals PsExec' - Description|startswith: - - 'Windows PowerShell' - - 'pwsh' + - 'Windows PowerShell' + - 'pwsh' - OriginalFileName: - - 'certutil.exe' - - 'cmstp.exe' - - 'cscript.exe' - - 'mshta.exe' - - 'msiexec.exe' - - 'powershell_ise.exe' - - 'powershell.exe' - - 'psexec.c' # old versions of psexec (2016 seen) - - 'psexec.exe' - - 'psexesvc.exe' - - 'pwsh.dll' - - 'reg.exe' - - 'regsvr32.exe' - - 'rundll32.exe' - - 'WerMgr' - - 'wmic.exe' - - 'wscript.exe' + - 'certutil.exe' + - 'cmstp.exe' + - 'cscript.exe' + - 'mshta.exe' + - 'msiexec.exe' + - 'powershell_ise.exe' + - 'powershell.exe' + - 'psexec.c' # old versions of psexec (2016 seen) + - 'psexec.exe' + - 'psexesvc.exe' + - 'pwsh.dll' + - 'reg.exe' + - 'regsvr32.exe' + - 'rundll32.exe' + - 'WerMgr' + - 'wmic.exe' + - 'wscript.exe' filter: Image|endswith: - '\certutil.exe' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml index 28671c55b..79679f3b1 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml @@ -23,13 +23,13 @@ detection: OriginalFileName: 'FX_VER_INTERNALNAME_STR' selection_cli: - CommandLine|contains|all: - - ' -u ' # Short version of '--full' - - ' -f ' # Short version of '--name' - - '.dmp' + - ' -u ' # Short version of '--full' + - ' -f ' # Short version of '--name' + - '.dmp' - CommandLine|contains|all: - - ' --full ' # Short version of '--full' - - ' --name ' # Short version of '--name' - - '.dmp' + - ' --full ' # Short version of '--full' + - ' --name ' # Short version of '--name' + - '.dmp' filter: Image|endswith: '\createdump.exe' condition: 1 of selection_* and not filter diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index d04e4459f..b34fa1087 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -14,17 +14,17 @@ logsource: detection: selection: - OriginalFileName: - - 'Excel.exe' - - 'MSACCESS.EXE' - - 'OneNote.exe' - - 'POWERPNT.EXE' - - 'WinWord.exe' + - 'Excel.exe' + - 'MSACCESS.EXE' + - 'OneNote.exe' + - 'POWERPNT.EXE' + - 'WinWord.exe' - Description: - - 'Microsoft Access' - - 'Microsoft Excel' - - 'Microsoft OneNote' - - 'Microsoft PowerPoint' - - 'Microsoft Word' + - 'Microsoft Access' + - 'Microsoft Excel' + - 'Microsoft OneNote' + - 'Microsoft PowerPoint' + - 'Microsoft Word' filter: Image|endswith: - '\EXCEL.exe' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index 775512b75..f5c57dd41 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -23,15 +23,15 @@ detection: - OriginalFileName: 'PAExec.exe' - Product|contains: 'PAExec' - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c - Hashes|contains: - - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + - IMPHASH=11D40A7B7876288F919AB819CC2D9802 + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c filter: - Image|endswith: '\paexec.exe' - Image|startswith: 'C:\Windows\PAExec-' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index b11a5b807..c2d79235f 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -18,9 +18,9 @@ detection: selection: - OriginalFileName: 'Plink' - CommandLine|contains|all: - - ' -l forward' - - ' -P ' - - ' -R ' + - ' -l forward' + - ' -P ' + - ' -R ' filter: Image|endswith: '\plink.exe' condition: selection and not filter diff --git a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml index ce177f8ff..2f68bc353 100644 --- a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml @@ -25,17 +25,17 @@ detection: - '/s' ntlm_auth: - CommandLine|contains|all: - - '-u' - - 'NTLM' + - '-u' + - 'NTLM' - CommandLine|contains|all: - - '/u' - - 'NTLM' + - '/u' + - 'NTLM' - CommandLine|contains|all: - - '-t' - - 'ncacn_np' + - '-t' + - 'ncacn_np' - CommandLine|contains|all: - - '/t' - - 'ncacn_np' + - '/t' + - 'ncacn_np' condition: use_rpcping and remote_server and ntlm_auth falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index f73550690..023daafc8 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -21,8 +21,8 @@ detection: CommandLine|contains: 'advpack' selection_cli_ordinal: - CommandLine|contains|all: - - '#+' - - '12' + - '#+' + - '12' - CommandLine|contains: '#-' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml index b47f7c0b0..ec88f6002 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml @@ -39,7 +39,7 @@ detection: - '#+' - '#24' - '24 ' - - 'MiniDump' #Matches MiniDump and MinidumpW + - 'MiniDump' # Matches MiniDump and MinidumpW selection_generic: CommandLine|contains|all: - '24' diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml index dd140397e..a57799487 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml @@ -17,17 +17,17 @@ logsource: detection: selection: - Image|contains: - - ':\RECYCLER\' - - ':\SystemVolumeInformation\' + - ':\RECYCLER\' + - ':\SystemVolumeInformation\' - Image|startswith: - - 'C:\Windows\Tasks\' - - 'C:\Windows\debug\' - - 'C:\Windows\fonts\' - - 'C:\Windows\help\' - - 'C:\Windows\drivers\' - - 'C:\Windows\addins\' - - 'C:\Windows\cursors\' - - 'C:\Windows\system32\tasks\' + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml index 8a5765481..f7f53f8e5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml @@ -18,7 +18,7 @@ detection: selection1: CommandLine|contains: 'rundll32' selection2: - CommandLine|contains: + CommandLine|contains: - 'mshtml,RunHTMLApplication' - 'mshtml,#135' selection3: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml index a0abb6610..16a2909e8 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml @@ -21,73 +21,73 @@ logsource: detection: selection: - CommandLine|contains|all: - - 'javascript:' - - '.RegisterXLL' + - 'javascript:' + - '.RegisterXLL' - CommandLine|contains|all: - - 'url.dll' - - 'OpenURL' + - 'url.dll' + - 'OpenURL' - CommandLine|contains|all: - - 'url.dll' - - 'OpenURLA' + - 'url.dll' + - 'OpenURLA' - CommandLine|contains|all: - - 'url.dll' - - 'FileProtocolHandler' + - 'url.dll' + - 'FileProtocolHandler' - CommandLine|contains|all: - - 'zipfldr.dll' - - 'RouteTheCall' + - 'zipfldr.dll' + - 'RouteTheCall' - CommandLine|contains|all: - - 'shell32.dll' - - 'Control_RunDLL' + - 'shell32.dll' + - 'Control_RunDLL' - CommandLine|contains|all: - - 'shell32.dll' - - 'ShellExec_RunDLL' + - 'shell32.dll' + - 'ShellExec_RunDLL' - CommandLine|contains|all: - - 'mshtml.dll' - - 'PrintHTML' + - 'mshtml.dll' + - 'PrintHTML' - CommandLine|contains|all: - - 'advpack.dll' - - 'LaunchINFSection' + - 'advpack.dll' + - 'LaunchINFSection' - CommandLine|contains|all: - - 'advpack.dll' - - 'RegisterOCX' + - 'advpack.dll' + - 'RegisterOCX' - CommandLine|contains|all: - - 'ieadvpack.dll' - - 'LaunchINFSection' + - 'ieadvpack.dll' + - 'LaunchINFSection' - CommandLine|contains|all: - - 'ieadvpack.dll' - - 'RegisterOCX' + - 'ieadvpack.dll' + - 'RegisterOCX' - CommandLine|contains|all: - - 'ieframe.dll' - - 'OpenURL' + - 'ieframe.dll' + - 'OpenURL' - CommandLine|contains|all: - - 'shdocvw.dll' - - 'OpenURL' + - 'shdocvw.dll' + - 'OpenURL' - CommandLine|contains|all: - - 'syssetup.dll' - - 'SetupInfObjectInstallAction' + - 'syssetup.dll' + - 'SetupInfObjectInstallAction' - CommandLine|contains|all: - - 'setupapi.dll' - - 'InstallHinfSection' + - 'setupapi.dll' + - 'InstallHinfSection' - CommandLine|contains|all: - - 'pcwutl.dll' - - 'LaunchApplication' + - 'pcwutl.dll' + - 'LaunchApplication' - CommandLine|contains|all: - - 'dfshim.dll' - - 'ShOpenVerbApplication' + - 'dfshim.dll' + - 'ShOpenVerbApplication' - CommandLine|contains|all: - - 'dfshim.dll' - - 'ShOpenVerbShortcut' + - 'dfshim.dll' + - 'ShOpenVerbShortcut' - CommandLine|contains|all: - - 'scrobj.dll' - - 'GenerateTypeLib' - - 'http' + - 'scrobj.dll' + - 'GenerateTypeLib' + - 'http' - CommandLine|contains|all: - - 'shimgvw.dll' - - 'ImageView_Fullscreen' - - 'http' + - 'shimgvw.dll' + - 'ImageView_Fullscreen' + - 'http' - CommandLine|contains|all: - - 'comsvcs.dll' - - 'MiniDump' + - 'comsvcs.dll' + - 'MiniDump' filter_main_screensaver: CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver' filter_main_parent_cpl: # Settings diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index 8f64db461..fc312f152 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -28,9 +28,9 @@ detection: CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' filter_local_ips: CommandLine|contains: - - '://10.' #10.0.0.0/8 - - '://192.168.' #192.168.0.0/16 - - '://172.16.' #172.16.0.0/12 + - '://10.' # 10.0.0.0/8 + - '://192.168.' # 192.168.0.0/16 + - '://172.16.' # 172.16.0.0/12 - '://172.17.' - '://172.18.' - '://172.19.' @@ -46,8 +46,8 @@ detection: - '://172.29.' - '://172.30.' - '://172.31.' - - '://127.' #127.0.0.0/8 - - '://169.254.' #169.254.0.0/16 + - '://127.' # 127.0.0.0/8 + - '://169.254.' # 169.254.0.0/16 condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index 29a82e954..8f47c4a00 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -17,22 +17,22 @@ logsource: detection: selection_sc: - CommandLine|contains|all: - - 'sc ' - - 'config ' - - 'binpath=' + - 'sc ' + - 'config ' + - 'binpath=' - CommandLine|contains|all: - - 'sc ' - - 'failure' - - 'command=' + - 'sc ' + - 'failure' + - 'command=' selection_reg_img: - CommandLine|contains|all: - - 'reg ' - - 'add ' - - 'FailureCommand' + - 'reg ' + - 'add ' + - 'FailureCommand' - CommandLine|contains|all: - - 'reg ' - - 'add ' - - 'ImagePath' + - 'reg ' + - 'add ' + - 'ImagePath' selection_reg_ext: CommandLine|contains: - '.sh' diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index b6b0a40d7..b982fdeb4 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -21,8 +21,8 @@ detection: CommandLine|contains: ' stop ' filter_kaspersky: CommandLine: - - 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop - - 'sc stop LGHUBUpdaterService' # Logitech LGHUB Updater Service + - 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop + - 'sc stop LGHUBUpdaterService' # Logitech LGHUB Updater Service User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index 87e8b3960..81b371fdf 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -40,8 +40,8 @@ detection: - 'C:\Perflogs' filter_mixed: - CommandLine|contains: - - 'update_task.xml' - - '/Create /TN TVInstallRestore /TR' + - 'update_task.xml' + - '/Create /TN TVInstallRestore /TR' - ParentCommandLine|contains: 'unattended.ini' filter_avira_install: # Comment out this filter if you dont use AVIRA diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index d5e12be08..fb8279682 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -43,8 +43,8 @@ detection: CommandLine|contains|all: - '/configure' - '/db' - #filter: - # SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log + # filter: + # SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log condition: selection_img and (1 of selection_flags_*) falsepositives: - Legitimate administrative use diff --git a/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml b/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml index a32fc83ba..8759fb28f 100644 --- a/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml @@ -19,8 +19,8 @@ detection: - Image|endswith: '\setspn.exe' - OriginalFileName: 'setspn.exe' - Description|contains|all: - - 'Query or reset the computer' - - 'SPN attribute' + - 'Query or reset the computer' + - 'SPN attribute' selection_cli: CommandLine|contains: '-q' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index a87a72254..bbb7f74cb 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -21,8 +21,8 @@ detection: selection_sql: - Product: SQLite - Image|endswith: - - '\sqlite.exe' - - '\sqlite3.exe' + - '\sqlite.exe' + - '\sqlite3.exe' selection_chromium: CommandLine|contains: - '\User Data\' # Most common folder for user profile data among Chromium browsers diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index 005adaecc..012a329df 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -20,8 +20,8 @@ detection: selection_sql: - Product: SQLite - Image|endswith: - - '\sqlite.exe' - - '\sqlite3.exe' + - '\sqlite.exe' + - '\sqlite3.exe' selection_firefox: CommandLine|contains: - 'cookies.sqlite' diff --git a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index 36917245c..a052d0799 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -29,13 +29,13 @@ detection: - 'AUTORI' selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\cmd.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'Cmd.Exe' filter: CommandLine|contains|all: - ' route ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index d0f6ad759..0f150cb17 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -19,13 +19,13 @@ logsource: detection: selection_main: - CommandLine|contains|all: - # net.exe - - 'localgroup ' - - ' /add' + # net.exe + - 'localgroup ' + - ' /add' - CommandLine|contains|all: - # powershell.exe - - 'Add-LocalGroupMember ' - - ' -Group ' + # powershell.exe + - 'Add-LocalGroupMember ' + - ' -Group ' selection_group: CommandLine|contains: - ' administrators ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml index 2a54d674b..626d5d72b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml @@ -22,11 +22,11 @@ logsource: detection: selection_main: - CommandLine|contains|all: - - 'localgroup ' - - ' /add' + - 'localgroup ' + - ' /add' - CommandLine|contains|all: - - 'Add-LocalGroupMember ' - - ' -Group ' + - 'Add-LocalGroupMember ' + - ' -Group ' selection_group: CommandLine|contains: - 'Remote Desktop Users' diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index a05207ce7..72ef42687 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -15,7 +15,7 @@ logsource: category: process_creation detection: selection_parent: - #GrandParentImage|endswith: '\sihost.exe' + # GrandParentImage|endswith: '\sihost.exe' ParentImage|contains: 'C:\Program Files\WindowsApps\' selection_susp_img: Image|endswith: diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml index acc6e6b8c..645d0b0d6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -22,20 +22,20 @@ logsource: detection: selection_cmd: - CommandLine|contains: - - 'copy-item' - - 'copy ' - - 'cpi ' - - ' cp ' - - 'move ' - - 'move-item' - - ' mi ' - - ' mv ' + - 'copy-item' + - 'copy ' + - 'cpi ' + - ' cp ' + - 'move ' + - 'move-item' + - ' mi ' + - ' mv ' - Image|endswith: - - '\xcopy.exe' - - '\robocopy.exe' + - '\xcopy.exe' + - '\robocopy.exe' - OriginalFileName: - - 'XCOPY.EXE' - - 'robocopy.exe' + - 'XCOPY.EXE' + - 'robocopy.exe' selection_path: CommandLine|contains: - '\Amigo\User Data' diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index c4732b6dd..314cbcd2c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -23,11 +23,11 @@ logsource: detection: selection_other_tools: - Image|endswith: - - '\robocopy.exe' - - '\xcopy.exe' + - '\robocopy.exe' + - '\xcopy.exe' - OriginalFileName: - - 'robocopy.exe' - - 'XCOPY.EXE' + - 'robocopy.exe' + - 'XCOPY.EXE' selection_cmd_img: - Image|endswith: '\cmd.exe' - OriginalFileName: 'Cmd.Exe' @@ -35,11 +35,11 @@ detection: CommandLine|contains: 'copy' selection_pwsh_img: - Image|contains: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_pwsh_cli: CommandLine|contains: - 'copy-item' @@ -52,8 +52,8 @@ detection: - ' mv ' selection_target: - CommandLine|contains|all: - - '\\\\' - - '$' + - '\\\\' + - '$' - CommandLine|contains: '\Sysvol\' condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*) falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml index fb04981c2..b31a32e74 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -35,11 +35,11 @@ detection: - ' cp ' selection_other: - Image|endswith: - - '\robocopy.exe' - - '\xcopy.exe' + - '\robocopy.exe' + - '\xcopy.exe' - OriginalFileName: - - 'robocopy.exe' - - 'XCOPY.EXE' + - 'robocopy.exe' + - 'XCOPY.EXE' target: CommandLine|contains: - '\System32' diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index bad5fa4f5..294c3b99d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -33,11 +33,11 @@ detection: - ' cp ' selection_tools_other: - Image|endswith: - - '\robocopy.exe' - - '\xcopy.exe' + - '\robocopy.exe' + - '\xcopy.exe' - OriginalFileName: - - 'robocopy.exe' - - 'XCOPY.EXE' + - 'robocopy.exe' + - 'XCOPY.EXE' selection_target_path: CommandLine|contains: - '\System32' diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index 658d7574b..f56bb811e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -43,24 +43,24 @@ detection: - '--post-file' payloads: - CommandLine|contains: - - 'Get-Content' - - 'GetBytes' - - 'hostname' - - 'ifconfig' - - 'ipconfig' - - 'net view' - - 'netstat' - - 'nltest' - - 'qprocess' - - 'sc query' - - 'systeminfo' - - 'tasklist' - - 'ToBase64String' - - 'whoami' + - 'Get-Content' + - 'GetBytes' + - 'hostname' + - 'ifconfig' + - 'ipconfig' + - 'net view' + - 'netstat' + - 'nltest' + - 'qprocess' + - 'sc query' + - 'systeminfo' + - 'tasklist' + - 'ToBase64String' + - 'whoami' - CommandLine|contains|all: - - 'type ' - - ' > ' - - ' C:\' + - 'type ' + - ' > ' + - ' C:\' condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml index ac25b1fc7..a30857f9c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -20,43 +20,43 @@ logsource: detection: selection: - ParentImage|endswith: - - '.doc.lnk' - - '.docx.lnk' - - '.xls.lnk' - - '.xlsx.lnk' - - '.ppt.lnk' - - '.pptx.lnk' - - '.rtf.lnk' - - '.pdf.lnk' - - '.txt.lnk' - - '.doc.js' - - '.docx.js' - - '.xls.js' - - '.xlsx.js' - - '.ppt.js' - - '.pptx.js' - - '.rtf.js' - - '.pdf.js' - - '.txt.js' + - '.doc.lnk' + - '.docx.lnk' + - '.xls.lnk' + - '.xlsx.lnk' + - '.ppt.lnk' + - '.pptx.lnk' + - '.rtf.lnk' + - '.pdf.lnk' + - '.txt.lnk' + - '.doc.js' + - '.docx.js' + - '.xls.js' + - '.xlsx.js' + - '.ppt.js' + - '.pptx.js' + - '.rtf.js' + - '.pdf.js' + - '.txt.js' - ParentCommandLine|contains: - - '.doc.lnk' - - '.docx.lnk' - - '.xls.lnk' - - '.xlsx.lnk' - - '.ppt.lnk' - - '.pptx.lnk' - - '.rtf.lnk' - - '.pdf.lnk' - - '.txt.lnk' - - '.doc.js' - - '.docx.js' - - '.xls.js' - - '.xlsx.js' - - '.ppt.js' - - '.pptx.js' - - '.rtf.js' - - '.pdf.js' - - '.txt.js' + - '.doc.lnk' + - '.docx.lnk' + - '.xls.lnk' + - '.xlsx.lnk' + - '.ppt.lnk' + - '.pptx.lnk' + - '.rtf.lnk' + - '.pdf.lnk' + - '.txt.lnk' + - '.doc.js' + - '.docx.js' + - '.xls.js' + - '.xlsx.js' + - '.ppt.js' + - '.pptx.js' + - '.rtf.js' + - '.pdf.js' + - '.txt.js' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml index 44cec9952..2c691f14e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -18,16 +18,16 @@ logsource: detection: selection_download: - Image|endswith: - - '\curl.exe' - - '\wget.exe' + - '\curl.exe' + - '\wget.exe' - CommandLine|contains: - - 'Invoke-WebRequest' - - 'iwr ' - - 'curl ' - - 'wget ' - - 'Start-BitsTransfer' - - '.DownloadFile(' - - '.DownloadString(' + - 'Invoke-WebRequest' + - 'iwr ' + - 'curl ' + - 'wget ' + - 'Start-BitsTransfer' + - '.DownloadFile(' + - '.DownloadString(' selection_domains: CommandLine|contains: - 'https://attachment.outlook.live.net/owa/' diff --git a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index 97caef02c..251d98467 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -16,13 +16,13 @@ logsource: detection: selection_img: - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\pwsh.exe' + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'Cmd.Exe' - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_parent: ParentImage|contains|all: - '\Windows\Installer\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml index 86ef4ba82..7c94d76b5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -27,7 +27,7 @@ detection: ParentImage|endswith: # Add more electron based app to the list - '\chrome.exe' # Might require additional tuning - #- '\code.exe' # Requires additional baseline + # - '\code.exe' # Requires additional baseline - '\discord.exe' - '\GitHubDesktop.exe' - '\keybase.exe' @@ -56,15 +56,15 @@ detection: filter_main_chrome: ParentImage|endswith: '\chrome.exe' Image|endswith: '\chrome.exe' - #filter_main_code_1: - # ParentImage|endswith: '\code.exe' - # Image|endswith: '\code.exe' - #filter_main_code_2: - # # Note: As code allows many other programs its best to baseline this - # ParentImage|endswith: '\code.exe' - # Image|endswith: - # - '\cmd.exe' - # - '\powershell.exe' + # filter_main_code_1: + # ParentImage|endswith: '\code.exe' + # Image|endswith: '\code.exe' + # filter_main_code_2: + # # Note: As code allows many other programs its best to baseline this + # ParentImage|endswith: '\code.exe' + # Image|endswith: + # - '\cmd.exe' + # - '\powershell.exe' filter_main_discord: ParentImage|endswith: '\discord.exe' Image|endswith: '\discord.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 8ae8f1905..935dc291b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -18,13 +18,13 @@ logsource: detection: selection_shell: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\cmd.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'Cmd.Exe' selection_user: User|contains: # covers many language settings - 'AUTHORI' diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index d2ff9fc52..1249e5a1e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -34,16 +34,16 @@ detection: CommandLine|contains|all: - 'set-log' - '/e:false' - selection_disable_3: #ETW provider removal from a trace session + selection_disable_3: # ETW provider removal from a trace session CommandLine|contains|all: - 'logman' - 'update' - 'trace' - '--p' - '-ets' - selection_pwsh_remove: #Autologger provider removal + selection_pwsh_remove: # Autologger provider removal CommandLine|contains: 'Remove-EtwTraceProvider' - selection_pwsh_set: #Provider โ€œEnableโ€ property modification + selection_pwsh_set: # Provider โ€œEnableโ€ property modification CommandLine|contains|all: - 'Set-EtwTraceProvider' - '0x11' diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index 234fe24c4..9d43fc6ef 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -15,9 +15,9 @@ logsource: product: windows detection: # Uncomment this section and remove the filter if you want the rule to be more specific to processes - #selection_img: - # Image|endswith: - # - '\rundll32.exe' + # selection_img: + # Image|endswith: + # - '\rundll32.exe' selection_folder: CommandLine|contains: # Add more suspicious or unexpected paths diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index 1e68e9960..447bb5775 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -19,24 +19,24 @@ logsource: detection: selection: - Image|contains: - - '\$Recycle.bin\' - - '\config\systemprofile\' - - '\Intel\Logs\' - - '\RSA\MachineKeys\' - - '\Users\All Users\' - - '\Users\Default\' - - '\Users\NetworkService\' - - '\Users\Public\' - - '\Windows\addins\' - - '\Windows\debug\' - - '\Windows\Fonts\' - - '\Windows\Help\' - - '\Windows\IME\' - - '\Windows\Media\' - - '\Windows\repair\' - - '\Windows\security\' - - '\Windows\System32\Tasks\' - - '\Windows\Tasks\' + - '\$Recycle.bin\' + - '\config\systemprofile\' + - '\Intel\Logs\' + - '\RSA\MachineKeys\' + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\NetworkService\' + - '\Users\Public\' + - '\Windows\addins\' + - '\Windows\debug\' + - '\Windows\Fonts\' + - '\Windows\Help\' + - '\Windows\IME\' + - '\Windows\Media\' + - '\Windows\repair\' + - '\Windows\security\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' - Image|startswith: 'C:\Perflogs\' filter_ibm: Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index c41c394d0..6b241e67f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -23,14 +23,14 @@ detection: - '' filter_4688: - Image: - - 'System' - - 'Registry' - - 'MemCompression' - - 'vmmem' + - 'System' + - 'Registry' + - 'MemCompression' + - 'vmmem' - CommandLine: - - 'Registry' - - 'MemCompression' - - 'vmmem' + - 'Registry' + - 'MemCompression' + - 'vmmem' condition: not image_absolute_path and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml index 6f7c6794a..3c063d250 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -44,7 +44,7 @@ detection: - 'LoadLibrary' - 'memcpy' - 'MiniDumpWriteDump' - #- 'msvcrt' + # - 'msvcrt' - 'ntdll' - 'OpenDesktop' - 'OpenProcess' @@ -58,7 +58,7 @@ detection: - 'RtlCreateUserThread' - 'secur32' - 'SetThreadToken' - #- 'user32' + # - 'user32' - 'VirtualAlloc' - 'VirtualFree' - 'VirtualProtect' diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml index e79c7c3ba..fde466c4e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml @@ -21,25 +21,25 @@ detection: selection: # Note: add more lolbins for additional coverage - Image|endswith: - - '\calc.exe' - - '\certutil.exe' - - '\cmstp.exe' - - '\cscript.exe' - - '\installutil.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\calc.exe' + - '\certutil.exe' + - '\cmstp.exe' + - '\cscript.exe' + - '\installutil.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - OriginalFileName: - - 'CALC.EXE' - - 'CertUtil.exe' - - 'CMSTP.EXE' - - 'cscript.exe' - - 'installutil.exe' - - 'MSHTA.EXE' - - 'REGSVR32.EXE' - - 'RUNDLL32.EXE' - - 'wscript.exe' + - 'CALC.EXE' + - 'CertUtil.exe' + - 'CMSTP.EXE' + - 'cscript.exe' + - 'installutil.exe' + - 'MSHTA.EXE' + - 'REGSVR32.EXE' + - 'RUNDLL32.EXE' + - 'wscript.exe' filter_main_currentdirectory: CurrentDirectory|contains: 'C:\' filter_main_empty: diff --git a/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml index 000541351..501b012cb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml @@ -25,24 +25,24 @@ logsource: detection: selection: - CommandLine|contains: - - 'lsass.dmp' - - 'lsass.zip' - - 'lsass.rar' - - 'Andrew.dmp' - - 'Coredump.dmp' - - 'NotLSASS.zip' # https://github.com/CCob/MirrorDump - - 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp - - 'lsassdump' - - 'lsassdmp' + - 'lsass.dmp' + - 'lsass.zip' + - 'lsass.rar' + - 'Andrew.dmp' + - 'Coredump.dmp' + - 'NotLSASS.zip' # https://github.com/CCob/MirrorDump + - 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp + - 'lsassdump' + - 'lsassdmp' - CommandLine|contains|all: - - 'lsass' - - '.dmp' + - 'lsass' + - '.dmp' - CommandLine|contains|all: - - 'SQLDmpr' - - '.mdmp' + - 'SQLDmpr' + - '.mdmp' - CommandLine|contains|all: - - 'nanodump' - - '.dmp' + - 'nanodump' + - '.dmp' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 0f1fe2233..4deb46e33 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -21,27 +21,27 @@ logsource: category: process_creation detection: selection_tool: - # https://github.com/zcgonvh/NTDSDumpEx + # https://github.com/zcgonvh/NTDSDumpEx - Image|endswith: - - '\NTDSDump.exe' - - '\NTDSDumpEx.exe' + - '\NTDSDump.exe' + - '\NTDSDumpEx.exe' - CommandLine|contains|all: - # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv - - 'ntds.dit' - - 'system.hiv' + # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv + - 'ntds.dit' + - 'system.hiv' - CommandLine|contains: 'NTDSgrab.ps1' selection_oneliner_1: - # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" + # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" CommandLine|contains|all: - 'ac i ntds' - 'create full' selection_onliner_2: - # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit + # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit CommandLine|contains|all: - '/c copy ' - '\windows\ntds\ntds.dit' selection_onliner_3: - # ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit" + # ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit" CommandLine|contains|all: - 'activate instance ntds' - 'create full' @@ -53,19 +53,19 @@ detection: CommandLine|contains: 'ntds.dit' set1_selection_image_folder: - ParentImage|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' - Image|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' condition: 1 of selection* or all of set1* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml index b9cd0d914..de26e2a30 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -25,20 +25,20 @@ detection: - '~2\' filter: - ParentImage: - - 'C:\Windows\System32\Dism.exe' - - 'C:\Windows\System32\cleanmgr.exe' - - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe' + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\cleanmgr.exe' + - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe' - ParentImage|endswith: - - '\WebEx\WebexHost.exe' - - '\thor\thor64.exe' - - '\veam.backup.shell.exe' - - '\winget.exe' - - '\Everything\Everything.exe' + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' + - '\veam.backup.shell.exe' + - '\winget.exe' + - '\Everything\Everything.exe' - ParentImage|contains: '\AppData\Local\Temp\WinGet\' - CommandLine|contains: - - '\appdata\local\webex\webex64\meetings\wbxreport.exe' - - 'C:\Program Files\Git\post-install.bat' - - 'C:\Program Files\Git\cmd\scalar.exe' + - '\appdata\local\webex\webex64\meetings\wbxreport.exe' + - 'C:\Program Files\Git\post-install.bat' + - 'C:\Program Files\Git\cmd\scalar.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 7399ef16e..535d806af 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -25,21 +25,21 @@ detection: - '~2\' filter1: - ParentImage: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) - ParentImage|endswith: - - '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes - - '\thor\thor64.exe' + - '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes + - '\thor\thor64.exe' - Product: 'InstallShield (R)' - Description: 'InstallShield (R) Setup Engine' - Company: 'InstallShield Software Corporation' filter_installers: - Image|contains|all: - - '\AppData\' - - '\Temp\' + - '\AppData\' + - '\Temp\' - Image|endswith: - - '~1\unzip.exe' - - '~1\7zG.exe' + - '~1\unzip.exe' + - '~1\7zG.exe' condition: selection and not 1 of filter* falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml index 794dd76e1..445bc32d4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml @@ -41,8 +41,8 @@ detection: - '~2.hta' filter: - ParentImage|endswith: - - '\WebEx\WebexHost.exe' - - '\thor\thor64.exe' + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' - CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE' condition: selection and not filter falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml index 8406a3eb4..a8bf724a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml @@ -23,12 +23,12 @@ detection: - 'DownloadString' selection_ip: - CommandLine|contains: - - '//0x' - - '.0x' - - '.00x' + - '//0x' + - '.0x' + - '.00x' - CommandLine|contains|all: - - 'http://%' - - '%2e' + - 'http://%' + - '%2e' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 89e6565be..9f581bf06 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -19,11 +19,11 @@ logsource: detection: selection_name: - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' + - '\cmd.exe' + - '\powershell.exe' - OriginalFileName: - - 'Cmd.Exe' - - 'PowerShell.EXE' + - 'Cmd.Exe' + - 'PowerShell.EXE' selection_args: CommandLine|contains|all: - 'echo' diff --git a/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml index 5cc4606a1..1bd577cc2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml @@ -21,11 +21,11 @@ detection: CommandLine|contains: 'dir ' selection_pwsh_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' selection_pwsh_cli: CommandLine|contains: 'Get-ChildItem ' selection_findstr: diff --git a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml index 5f327c6ad..c6d598d71 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml @@ -30,11 +30,11 @@ detection: - '\winlogon.exe' filter_sys: - ParentImage|endswith: - - '\SavService.exe' - - '\ngen.exe' + - '\SavService.exe' + - '\ngen.exe' - ParentImage|contains: - - '\System32\' - - '\SysWOW64\' + - '\System32\' + - '\SysWOW64\' filter_msmpeng: ParentImage|contains: - '\Windows Defender\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_progname.yml b/rules/windows/process_creation/proc_creation_win_susp_progname.yml index 0fb1e74e8..1e08522f5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_progname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_progname.yml @@ -16,18 +16,18 @@ logsource: detection: selection_image: - Image|contains: - - '\CVE-202' # Update this when we reach the year 2100 - - '\CVE202' # Update this when we reach the year 2100 + - '\CVE-202' # Update this when we reach the year 2100 + - '\CVE202' # Update this when we reach the year 2100 - Image|endswith: - - '\poc.exe' - - '\artifact.exe' - - '\artifact64.exe' - - '\artifact_protected.exe' - - '\artifact32.exe' - - '\artifact32big.exe' - - 'obfuscated.exe' - - 'obfusc.exe' - - '\meterpreter' + - '\poc.exe' + - '\artifact.exe' + - '\artifact64.exe' + - '\artifact_protected.exe' + - '\artifact32.exe' + - '\artifact32big.exe' + - 'obfuscated.exe' + - 'obfusc.exe' + - '\meterpreter' selection_commandline: CommandLine|contains: - 'inject.ps1' diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml index 887815676..22e81ad1d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml @@ -19,14 +19,14 @@ logsource: detection: selection_image: - Image|endswith: - - '\tree.com' - - '\WMIC.exe' - - '\doskey.exe' - - '\sc.exe' + - '\tree.com' + - '\WMIC.exe' + - '\doskey.exe' + - '\sc.exe' - OriginalFileName: - - 'wmic.exe' - - 'DOSKEY.EXE' - - 'sc.exe' + - 'wmic.exe' + - 'DOSKEY.EXE' + - 'sc.exe' selection_redirect: ParentCommandLine|contains: - ' > %TEMP%\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index fe355d393..b32fbc96f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -44,14 +44,14 @@ detection: - '\Windows\Temp' selection_folders_2: - CommandLine|contains|all: - - ':\Users\' - - '\Favorites\' + - ':\Users\' + - '\Favorites\' - CommandLine|contains|all: - - ':\Users\' - - '\Favourites\' + - ':\Users\' + - '\Favourites\' - CommandLine|contains|all: - - ':\Users\' - - '\Contacts\' + - ':\Users\' + - '\Contacts\' condition: 1 of selection_proc_* and 1 of selection_folders_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 7b3d10c71..8628cf7b7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -27,11 +27,11 @@ logsource: detection: selection_net_img: - OriginalFileName: - - 'net.exe' - - 'net1.exe' + - 'net.exe' + - 'net1.exe' - Image|endswith: - - '\net.exe' - - '\net1.exe' + - '\net.exe' + - '\net1.exe' selection_net_cli: CommandLine|contains: ' stop ' selection_sc_img: @@ -44,11 +44,11 @@ detection: - ' pause ' selection_pwsh_img: - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' selection_pwsh_cli: CommandLine|contains: - 'Stop-Service ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml index 5d6cdf407..a370a4355 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml @@ -19,15 +19,15 @@ logsource: detection: selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - - '\wmic.exe' - - '\vssadmin.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wmic.exe' + - '\vssadmin.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'wmic.exe' - - 'VSSADMIN.EXE' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'wmic.exe' + - 'VSSADMIN.EXE' selection_cli: CommandLine|contains|all: - 'shadow' diff --git a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml index 7ce2e9319..de76a0a53 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml @@ -26,17 +26,17 @@ logsource: detection: selection1_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - - '\wmic.exe' - - '\vssadmin.exe' - - '\diskshadow.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wmic.exe' + - '\vssadmin.exe' + - '\diskshadow.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'wmic.exe' - - 'VSSADMIN.EXE' - - 'diskshadow.exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'wmic.exe' + - 'VSSADMIN.EXE' + - 'diskshadow.exe' selection1_cli: CommandLine|contains|all: - 'shadow' # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml index 4543e9641..c840292b0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml @@ -22,7 +22,7 @@ detection: - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - #- '\cmd.exe' # too many false positives + # - '\cmd.exe' # too many false positives - '\rundll32.exe' - '\cscript.exe' - '\wscript.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index c40e86963..2feb13fcf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -70,14 +70,14 @@ detection: - '\dfrgui.exe' filter_generic: - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' - # - 'C:\avast! sandbox' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + # - 'C:\avast! sandbox' - Image|contains: '\SystemRoot\System32\' - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Program Files\PowerShell\7\pwsh.exe' + - 'C:\Windows\explorer.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' filter_wsl_windowsapps: Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux' Image|endswith: '\wsl.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index c04053cc5..3f143bed4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -26,53 +26,53 @@ detection: - 'AUTORI' selection_special: - Image|endswith: - - '\calc.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\hh.exe' - - '\mshta.exe' - - '\forfiles.exe' - - '\ping.exe' + - '\calc.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\hh.exe' + - '\mshta.exe' + - '\forfiles.exe' + - '\ping.exe' - CommandLine|contains: - # - 'sc stop ' # stops a system service # causes FPs - - ' -NoP ' # Often used in malicious PowerShell commands - - ' -W Hidden ' # Often used in malicious PowerShell commands - - ' -decode ' # Used with certutil - - ' /decode ' # Used with certutil - - ' /urlcache ' # Used with certutil - - ' -urlcache ' # Used with certutil - - ' -e* JAB' # PowerShell encoded commands - - ' -e* SUVYI' # PowerShell encoded commands - - ' -e* SQBFAFgA' # PowerShell encoded commands - - ' -e* aWV4I' # PowerShell encoded commands - - ' -e* IAB' # PowerShell encoded commands - - ' -e* PAA' # PowerShell encoded commands - - ' -e* aQBlAHgA' # PowerShell encoded commands - - 'vssadmin delete shadows' # Ransomware - - 'reg SAVE HKLM' # save registry SAM - syskey extraction - - ' -ma ' # ProcDump - - 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD - - '.downloadstring(' # PowerShell download command - - '.downloadfile(' # PowerShell download command - - ' /ticket:' # Rubeus - - 'dpapi::' #Mimikatz - - 'event::clear' #Mimikatz - - 'event::drop' #Mimikatz - - 'id::modify' #Mimikatz - - 'kerberos::' #Mimikatz - - 'lsadump::' #Mimikatz - - 'misc::' #Mimikatz - - 'privilege::' #Mimikatz - - 'rpc::' #Mimikatz - - 'sekurlsa::' #Mimikatz - - 'sid::' #Mimikatz - - 'token::' #Mimikatz - - 'vault::cred' #Mimikatz - - 'vault::list' #Mimikatz - - ' p::d ' # Mimikatz - - ';iex(' # PowerShell IEX - - 'MiniDump' # Process dumping method apart from procdump - - 'net user ' + # - 'sc stop ' # stops a system service # causes FPs + - ' -NoP ' # Often used in malicious PowerShell commands + - ' -W Hidden ' # Often used in malicious PowerShell commands + - ' -decode ' # Used with certutil + - ' /decode ' # Used with certutil + - ' /urlcache ' # Used with certutil + - ' -urlcache ' # Used with certutil + - ' -e* JAB' # PowerShell encoded commands + - ' -e* SUVYI' # PowerShell encoded commands + - ' -e* SQBFAFgA' # PowerShell encoded commands + - ' -e* aWV4I' # PowerShell encoded commands + - ' -e* IAB' # PowerShell encoded commands + - ' -e* PAA' # PowerShell encoded commands + - ' -e* aQBlAHgA' # PowerShell encoded commands + - 'vssadmin delete shadows' # Ransomware + - 'reg SAVE HKLM' # save registry SAM - syskey extraction + - ' -ma ' # ProcDump + - 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD + - '.downloadstring(' # PowerShell download command + - '.downloadfile(' # PowerShell download command + - ' /ticket:' # Rubeus + - 'dpapi::' # Mimikatz + - 'event::clear' # Mimikatz + - 'event::drop' # Mimikatz + - 'id::modify' # Mimikatz + - 'kerberos::' # Mimikatz + - 'lsadump::' # Mimikatz + - 'misc::' # Mimikatz + - 'privilege::' # Mimikatz + - 'rpc::' # Mimikatz + - 'sekurlsa::' # Mimikatz + - 'sid::' # Mimikatz + - 'token::' # Mimikatz + - 'vault::cred' # Mimikatz + - 'vault::list' # Mimikatz + - ' p::d ' # Mimikatz + - ';iex(' # PowerShell IEX + - 'MiniDump' # Process dumping method apart from procdump + - 'net user ' filter_ping: CommandLine: 'ping 127.0.0.1 -n 5' filter_vs: diff --git a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 55a36ef84..13b18f88a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -3,7 +3,7 @@ id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 status: test description: | The Tasks folder in system32 and syswow64 are globally writable paths. - Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application + Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr references: - https://twitter.com/subTee/status/1216465628946563073 diff --git a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml index e2f90d708..14a13591f 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml @@ -20,8 +20,8 @@ detection: Image|endswith: '\svchost.exe' filter: - ParentImage|endswith: - - '\rpcnet.exe' - - '\rpcnetp.exe' + - '\rpcnet.exe' + - '\rpcnetp.exe' - CommandLine: null # no CommandLine value available condition: selection and not filter fields: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index 2b58991b7..a61b6d48f 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -21,8 +21,8 @@ detection: - Product|endswith: 'AccessChk' - Description|contains: 'Reports effective permissions' - Image|endswith: - - '\accesschk.exe' - - '\accesschk64.exe' + - '\accesschk.exe' + - '\accesschk64.exe' - OriginalFileName: 'accesschk.exe' selection_cli: CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index 239cffad1..aff51dc1e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -14,8 +14,8 @@ logsource: detection: selection: - Image|endswith: - - '\livekd.exe' - - '\livekd64.exe' + - '\livekd.exe' + - '\livekd64.exe' - OriginalFileName: 'livekd.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 3eb02ad59..afdd078c9 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -16,8 +16,8 @@ logsource: detection: selection_img: - Image|endswith: - - '\livekd.exe' - - '\livekd64.exe' + - '\livekd.exe' + - '\livekd64.exe' - OriginalFileName: 'livekd.exe' selection_cli: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml index eb5bcd295..b2352c405 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -22,8 +22,8 @@ detection: selection_img: - OriginalFileName: 'psloglist.exe' - Image|endswith: - - '\psloglist.exe' - - '\psloglist64.exe' + - '\psloglist.exe' + - '\psloglist64.exe' selection_cli_eventlog: CommandLine|contains: - ' security' diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index 07113a876..ddd882d16 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -18,8 +18,8 @@ detection: selection: - OriginalFileName: 'psservice.exe' - Image|endswith: - - '\PsService.exe' - - '\PsService64.exe' + - '\PsService.exe' + - '\PsService64.exe' condition: selection falsepositives: - Legitimate use of PsService by an administrator diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index a4111515f..8c082115e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -21,8 +21,8 @@ detection: selection: - OriginalFileName: 'pssuspend.exe' - Image|endswith: - - '\pssuspend.exe' - - '\pssuspend64.exe' + - '\pssuspend.exe' + - '\pssuspend64.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index 21704c24a..db2af26ae 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -20,8 +20,8 @@ detection: selection_img: - OriginalFileName: 'pssuspend.exe' - Image|endswith: - - '\pssuspend.exe' - - '\pssuspend64.exe' + - '\pssuspend.exe' + - '\pssuspend64.exe' selection_cli: # Add more interesting/critical processes CommandLine|contains: 'msmpeng.exe' diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml index 141e76c50..c403e630a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml @@ -15,8 +15,8 @@ logsource: detection: selection_pe: - Image|endswith: - - \Sysmon64.exe - - \Sysmon.exe + - \Sysmon64.exe + - \Sysmon.exe - Description: 'System activity monitor' selection_cli: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml index 75a4fa65b..da00cc51d 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml @@ -1,7 +1,7 @@ title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 status: test -description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion +description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 @@ -16,8 +16,8 @@ logsource: detection: selection_pe: - Image|endswith: - - \Sysmon64.exe - - \Sysmon.exe + - \Sysmon64.exe + - \Sysmon.exe - Description: 'System activity monitor' selection_cli: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index 3d390c27b..49b1ea778 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -21,23 +21,23 @@ detection: ParentImage|endswith: '\vmtoolsd.exe' selection_img: - Image|endswith: - - '\cmd.exe' - - '\cscript.exe' - - '\mshta.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - OriginalFileName: - - 'Cmd.Exe' - - 'cscript.exe' - - 'MSHTA.EXE' - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'REGSVR32.EXE' - - 'RUNDLL32.EXE' - - 'wscript.exe' + - 'Cmd.Exe' + - 'cscript.exe' + - 'MSHTA.EXE' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'REGSVR32.EXE' + - 'RUNDLL32.EXE' + - 'wscript.exe' filter_main_vmwaretools_script: Image|endswith: '\cmd.exe' CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml index 6def426f6..cb1caed52 100644 --- a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious WebDAV LNK Execution id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe related: - - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 - type: similar + - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 + type: similar status: experimental description: Detects possible execution via LNK file accessed on a WebDAV server. references: diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index 41bc0ed96..34edc7651 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -60,29 +60,29 @@ detection: CommandLine|contains: ' /node:' susp_misc_discovery_binaries: - Image|endswith: - - '\whoami.exe' - - '\systeminfo.exe' - - '\quser.exe' - - '\ipconfig.exe' - - '\pathping.exe' - - '\tracert.exe' - - '\netstat.exe' - - '\schtasks.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' - - '\tasklist.exe' + - '\whoami.exe' + - '\systeminfo.exe' + - '\quser.exe' + - '\ipconfig.exe' + - '\pathping.exe' + - '\tracert.exe' + - '\netstat.exe' + - '\schtasks.exe' + - '\vssadmin.exe' + - '\wevtutil.exe' + - '\tasklist.exe' - OriginalFileName: - - 'whoami.exe' - - 'sysinfo.exe' - - 'quser.exe' - - 'ipconfig.exe' - - 'pathping.exe' - - 'tracert.exe' - - 'netstat.exe' - - 'schtasks.exe' - - 'VSSADMIN.EXE' - - 'wevtutil.exe' - - 'tasklist.exe' + - 'whoami.exe' + - 'sysinfo.exe' + - 'quser.exe' + - 'ipconfig.exe' + - 'pathping.exe' + - 'tracert.exe' + - 'netstat.exe' + - 'schtasks.exe' + - 'VSSADMIN.EXE' + - 'wevtutil.exe' + - 'tasklist.exe' susp_misc_discovery_commands: CommandLine|contains: - ' Test-NetConnection ' diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 25663544e..0868cf343 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -21,31 +21,31 @@ detection: - '\wt.exe' selection_susp: - Image|endswith: - # Add more LOLBINS - - '\rundll32.exe' - - '\regsvr32.exe' - - '\certutil.exe' - - '\cscript.exe' - - '\wscript.exe' - - '\csc.exe' + # Add more LOLBINS + - '\rundll32.exe' + - '\regsvr32.exe' + - '\certutil.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\csc.exe' - Image|contains: - # Add more suspicious paths - - 'C:\Users\Public\' - - '\Downloads\' - - '\Desktop\' - - '\AppData\Local\Temp\' - - '\Windows\TEMP\' + # Add more suspicious paths + - 'C:\Users\Public\' + - '\Downloads\' + - '\Desktop\' + - '\AppData\Local\Temp\' + - '\Windows\TEMP\' - CommandLine|contains: - # Add more suspicious commandline - - ' iex ' - - ' icm' - - 'Invoke-' - - 'Import-Module ' - - 'ipmo ' - - 'DownloadString(' - - ' /c ' - - ' /k ' - - ' /r ' + # Add more suspicious commandline + - ' iex ' + - ' icm' + - 'Invoke-' + - 'Import-Module ' + - 'ipmo ' + - 'DownloadString(' + - ' /c ' + - ' /k ' + - ' /r ' filter_builtin_visual_studio_shell: CommandLine|contains|all: - 'Import-Module' diff --git a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index 8b83e3f03..13783e8cd 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -19,8 +19,8 @@ logsource: detection: selection_img: - Image|endswith: - - '\rar.exe' - - '\winrar.exe' + - '\rar.exe' + - '\winrar.exe' - Description: 'Command line RAR' selection_extension: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml index 28aa3f046..076f4a9f9 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -22,23 +22,23 @@ detection: selection_binaries: # Note: add additional binaries that the attacker might use - Image|endswith: - - '\cmd.exe' - - '\cscript.exe' - - '\mshta.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\rundll32.exe' - - '\wscript.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - OriginalFileName: - - 'Cmd.Exe' - - 'cscript.exe' - - 'mshta.exe' - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'regsvr32.exe' - - 'RUNDLL32.EXE' - - 'wscript.exe' + - 'Cmd.Exe' + - 'cscript.exe' + - 'mshta.exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'regsvr32.exe' + - 'RUNDLL32.EXE' + - 'wscript.exe' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml index c8ec1cd98..bba0ae8a2 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml @@ -16,8 +16,8 @@ logsource: detection: selection: - Image|endswith: - - '\rar.exe' - - '\winrar.exe' + - '\rar.exe' + - '\winrar.exe' - Description: 'Command line RAR' filter_main_unrar: # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index 748ff8520..8c791759c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -25,13 +25,13 @@ detection: - Image|endswith: '\wmic.exe' - OriginalFileName: 'wmic.exe' - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E - - IMPHASH=37777A96245A3C74EB217308F3546F4C - - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 + - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E + - IMPHASH=37777A96245A3C74EB217308F3546F4C + - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 selection_cli: CommandLine|contains|all: - 'format:' diff --git a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index 5adcf6aa7..fcc0d9b61 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -16,7 +16,7 @@ logsource: detection: selection_wmic: Image|endswith: '\wmic.exe' - CommandLine|contains: + CommandLine|contains: - '/format' # wmic process list /FORMAT /? - '-format' # wmic process list -FORMAT /? selection_msxsl: diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml index 368a1c2e1..ab0a28a9b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml @@ -24,11 +24,11 @@ detection: ParentImage|endswith: '\WmiPrvSE.exe' selection_img: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + - '\powershell.exe' + - '\pwsh.exe' - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' + - 'PowerShell.EXE' + - 'pwsh.dll' condition: all of selection_* falsepositives: - AppvClient diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml index bbe0610f7..a9766df77 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml @@ -18,11 +18,11 @@ logsource: detection: selection_img: - OriginalFileName: - - 'wscript.exe' - - 'cscript.exe' + - 'wscript.exe' + - 'cscript.exe' - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' + - '\wscript.exe' + - '\cscript.exe' selection_cli: CommandLine|contains: - '.js' diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 5f4d2b9a1..10be02086 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -15,11 +15,11 @@ logsource: detection: selection_img: - OriginalFileName: - - 'wscript.exe' - - 'cscript.exe' + - 'wscript.exe' + - 'cscript.exe' - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' + - '\wscript.exe' + - '\cscript.exe' selection_extension: CommandLine|contains: # Note: add additional potential suspicious extension diff --git a/rules/windows/process_tampering/proc_tampering_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_process_hollowing.yml index ce76e1373..ddc610eec 100644 --- a/rules/windows/process_tampering/proc_tampering_process_hollowing.yml +++ b/rules/windows/process_tampering/proc_tampering_process_hollowing.yml @@ -40,8 +40,8 @@ detection: filter_optional_edge_1: - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' - Image: - - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' filter_optional_edge_2: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeCore\' diff --git a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml index dc8b279ac..c21ef22ec 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml @@ -16,9 +16,9 @@ logsource: detection: selection: - TargetObject: - - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' + - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' + - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' + - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - TargetObject|startswith: 'HKLM\SYSTEM\Setup\PrintResponsor\' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index abbc03102..7abdbde39 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -17,5 +17,5 @@ detection: TargetObject|endswith: '\Software\firm\soft\Name' condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml index 27264ac15..5920c1ab3 100755 --- a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -19,7 +19,7 @@ detection: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' selection2: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' - #add the payload in the (Default) + # Add the payload in the (Default) condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 496596699..e285d3b37 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -16,20 +16,15 @@ logsource: detection: selection: - TargetObject|endswith: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - #key rename + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + # Key Rename - NewName|endswith: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' filter: Details: '(Empty)' condition: selection and not filter falsepositives: - Unknown -fields: - - EventID - - Image - - TargetObject - - NewName level: medium diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 92a9af0dd..8266a28d5 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -44,14 +44,14 @@ detection: Details: '(Empty)' filter_msoffice: - TargetObject|contains: - - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\' - - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\' + - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\' + - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\' - Details: - - '{314111c7-a502-11d2-bbca-00c04f8ec294}' - - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' - - '{42089D2D-912D-4018-9087-2B87803E93FB}' - - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' - - '{807583E5-5146-11D5-A672-00B0D022E945}' + - '{314111c7-a502-11d2-bbca-00c04f8ec294}' + - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' + - '{42089D2D-912D-4018-9087-2B87803E93FB}' + - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' + - '{807583E5-5146-11D5-A672-00B0D022E945}' filter_chrome: TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' filter_edge: @@ -68,11 +68,6 @@ detection: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' condition: main_selection and not 1 of filter_* -fields: - - SecurityID - - ObjectName - - OldValueType - - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 108fced50..d71a8ae38 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -48,18 +48,18 @@ detection: - Details: '(Empty)' - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' - Image|endswith: - - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - - '\AppData\Roaming\Spotify\Spotify.exe' - - '\AppData\Local\WebEx\WebexHost.exe' + - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe + - '\AppData\Roaming\Spotify\Spotify.exe' + - '\AppData\Local\WebEx\WebexHost.exe' - Image: - - 'C:\WINDOWS\system32\devicecensus.exe' - - 'C:\Windows\system32\winsat.exe' - - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' - - 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe' - - 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe' - - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe' - - 'C:\Program Files\Everything\Everything.exe' - - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + - 'C:\WINDOWS\system32\devicecensus.exe' + - 'C:\Windows\system32\winsat.exe' + - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' + - 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe' + - 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe' + - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe' + - 'C:\Program Files\Everything\Everything.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' filter_logonui: Image: 'C:\Windows\system32\LogonUI.exe' TargetObject|contains: @@ -139,11 +139,6 @@ detection: TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything' Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations condition: all of current_version_* and not 1 of filter_* -fields: - - SecurityID - - ObjectName - - OldValueType - - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index a07b5d382..02b8cd40d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -49,11 +49,11 @@ detection: Image|endswith: '\MicrosoftEdgeUpdate.exe' filter_msoffice: - TargetObject|contains: - - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' - - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\' + - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' + - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\' - Image: - - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe' - - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' filter_officeclicktorun: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 7b536cf01..a20da2268 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -53,7 +53,7 @@ detection: - '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\' - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\' - '\Outlook\AddIns\EvernoteOLRD.Connect\' - #- '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly + # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\' - '\Outlook\Addins\OcOffice.OcForms\' - '\Outlook\Addins\\OneNote.OutlookAddin' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 9b74ffad4..87310ceba 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -53,9 +53,9 @@ detection: - Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}' - Details: 'grpconv -o' - Details|contains|all: - - 'C:\Program Files' - - '\Dropbox\Client\Dropbox.exe' - - ' /systemstartup' + - 'C:\Program Files' + - '\Dropbox\Client\Dropbox.exe' + - ' /systemstartup' filter_evernote: TargetObject|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer' filter_dotnet: diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index d1e25a905..a4b9e0f9d 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -33,11 +33,11 @@ detection: - '\AppData\Roaming\' filter: - Image|contains: - - '\AppData\Roaming\Zoom' - - '\AppData\Local\Zoom' + - '\AppData\Roaming\Zoom' + - '\AppData\Local\Zoom' - Details|contains: - - '\AppData\Roaming\Zoom' - - '\AppData\Local\Zoom' + - '\AppData\Roaming\Zoom' + - '\AppData\Local\Zoom' condition: 1 of selection_* and not filter falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index d7dcd7557..e9069c1c2 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -15,9 +15,9 @@ logsource: product: windows detection: selection: - #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall - #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall - #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\' TargetObject|endswith: '\EnableFirewall' Details: 'DWORD (0x00000000)' diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index f9d88f28a..adf10c8fc 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -20,7 +20,7 @@ detection: - '\Software\Microsoft\Fax\Device Providers\' - '\ImageName' filter: - Details: '%systemroot%\system32\fxst30.dll' #Windows 10 + Details: '%systemroot%\system32\fxst30.dll' # Windows 10 condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 6ab62d21a..2e1fb51b3 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -27,7 +27,7 @@ detection: - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' - #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV + # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV filter_valid_procs: Image: C:\Windows\System32\poqexec.exe condition: selection and not 1 of filter* diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 8fed0356d..b5b05efec 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -25,9 +25,9 @@ detection: - 'C:\Program Files\' - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - #filter_specific: # Uncomment This section to add specific Protocol Handler names that are know - # Details: 'URL:' + # filter_specific: + # Details: 'URL:' condition: selection and not 1 of filter_main_* falsepositives: - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environement. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 18d7ca896..68943d718 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -57,7 +57,7 @@ detection: - '\CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\' # Open Document Format ODP Persistent Handler - '\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\' # Microsoft OneNote Section persistent handler - '\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}' # HTML File persistent handler - #- '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default) + # - '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default) - '\CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\' # Office Outlook MSG Persistent Handler filter_generic_paths: Image|startswith: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index c7f305554..f33bacadc 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -39,7 +39,7 @@ detection: - '\AppData\Roaming\Dropbox\' - '\DropboxExt64.*.dll' filter_main_trend_micro: - Details|endswith: 'TmopIEPlg.dll' #TrendMicro osce + Details|endswith: 'TmopIEPlg.dll' # TrendMicro osce filter_main_update: Image|endswith: - ':\WINDOWS\system32\wuauclt.exe' diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 7e68240fd..29818ffa7 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -18,12 +18,12 @@ detection: TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' selection2: - Details|startswith: - - 'C:\Windows\Temp\' - - 'C:\ProgramData\' - - 'C:\$Recycle.bin\' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Users\Default\' + - 'C:\Windows\Temp\' + - 'C:\ProgramData\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' - Details|contains: '\AppData\' condition: selection and selection2 fields: diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 59f342935..4dc1a22ba 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -20,19 +20,19 @@ detection: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' selection_details: - Details|contains: - - 'C:\Windows\Temp\' - - 'C:\$Recycle.bin\' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Users\Default\' - - 'C:\Users\Desktop\' - - '\AppData\Local\Temp\' - - '%temp%\' - - '%tmp%\' + - 'C:\Windows\Temp\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' + - '\AppData\Local\Temp\' + - '%temp%\' + - '%tmp%\' - Details|startswith: - - '%Public%\' - - 'wscript' - - 'cscript' + - '%Public%\' + - 'wscript' + - 'cscript' condition: all of selection_* fields: - Image diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml index 85a06fe29..e6deae463 100644 --- a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -18,42 +18,42 @@ detection: TargetObject|contains: '\Environment\' selection_details: - Details: - - 'powershell' - - 'pwsh' + - 'powershell' + - 'pwsh' - Details|contains: - # Add more suspicious strings in env variables below - - '\AppData\Local\Temp\' - - 'C:\Users\Public\' - # Base64 MZ Header - - 'TVqQAAMAAAAEAAAA' # MZ.......... - - 'TVpQAAIAAAAEAA8A' - - 'TVqAAAEAAAAEABAA' - - 'TVoAAAAAAAAAAAAA' - - 'TVpTAQEAAAAEAAAA' - # Base64 Invoke- (UTF-8) - - 'SW52b2tlL' - - 'ludm9rZS' - - 'JbnZva2Ut' - # Base64 Invoke- (UTF-16LE) - - 'SQBuAHYAbwBrAGUALQ' - - 'kAbgB2AG8AawBlAC0A' - - 'JAG4AdgBvAGsAZQAtA' + # Add more suspicious strings in env variables below + - '\AppData\Local\Temp\' + - 'C:\Users\Public\' + # Base64 MZ Header + - 'TVqQAAMAAAAEAAAA' # MZ.......... + - 'TVpQAAIAAAAEAA8A' + - 'TVqAAAEAAAAEABAA' + - 'TVoAAAAAAAAAAAAA' + - 'TVpTAQEAAAAEAAAA' + # Base64 Invoke- (UTF-8) + - 'SW52b2tlL' + - 'ludm9rZS' + - 'JbnZva2Ut' + # Base64 Invoke- (UTF-16LE) + - 'SQBuAHYAbwBrAGUALQ' + - 'kAbgB2AG8AawBlAC0A' + - 'JAG4AdgBvAGsAZQAtA' - Details|startswith: # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 - - 'SUVY' - - 'SQBFAF' - - 'SQBuAH' - - 'cwBhA' - - 'aWV4' - - 'aQBlA' - - 'R2V0' - - 'dmFy' - - 'dgBhA' - - 'dXNpbm' - - 'H4sIA' - - 'Y21k' - - 'cABhAH' - - 'Qzpc' - - 'Yzpc' + - 'SUVY' + - 'SQBFAF' + - 'SQBuAH' + - 'cwBhA' + - 'aWV4' + - 'aQBlA' + - 'R2V0' + - 'dmFy' + - 'dgBhA' + - 'dXNpbm' + - 'H4sIA' + - 'Y21k' + - 'cABhAH' + - 'Qzpc' + - 'Yzpc' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index f77b13bd8..9d96673be 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index 0eae9839b..f7ff9019e 100644 --- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -5,7 +5,7 @@ description: Detects potential malicious modification of the property value of U references: - https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 - - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials + - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/09/12 modified: 2023/08/17 diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index bcdc46262..4954c93b7 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -15,9 +15,9 @@ detection: selection: EventID: 16 # To avoid FP just add - #filter: - # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' - #condition: selection and not filter + # filter: + # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' + # condition: selection and not filter condition: selection falsepositives: - Legitimate administrative action diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index f84cb1ade..335ef9b8f 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -18,21 +18,21 @@ logsource: detection: selection_destination: - Destination|contains|all: - - 'new-object' - - 'net.webclient' - - '.downloadstring' + - 'new-object' + - 'net.webclient' + - '.downloadstring' - Destination|contains|all: - - 'new-object' - - 'net.webclient' - - '.downloadfile' + - 'new-object' + - 'net.webclient' + - '.downloadfile' - Destination|contains: - - ' iex(' - - ' -nop ' - - ' -noprofile ' - - ' -decode ' - - ' -enc ' - - 'WScript.Shell' - - 'System.Security.Cryptography.FromBase64Transform' + - ' iex(' + - ' -nop ' + - ' -noprofile ' + - ' -decode ' + - ' -enc ' + - 'WScript.Shell' + - 'System.Security.Cryptography.FromBase64Transform' condition: selection_destination fields: - User diff --git a/tests/promote_rules_status.py b/tests/promote_rules_status.py new file mode 100644 index 000000000..f1e3c3ba9 --- /dev/null +++ b/tests/promote_rules_status.py @@ -0,0 +1,86 @@ +import os +import yaml +from datetime import datetime + +path_to_rules_ = [ + "rules", + "rules-emerging-threats", + "rules-placeholder", + "rules-threat-hunting", + "rules-compliance", +] +path_to_rules = [] +for path_ in path_to_rules_: + path_to_rules.append( + os.path.join(os.path.dirname(os.path.realpath(__name__)), path_) + ) + + +# Helper functions +def yield_next_rule_file_path(path_to_rules: list) -> str: + for path_ in path_to_rules: + for root, _, files in os.walk(path_): + for file in files: + if file.endswith(".yml"): + yield os.path.join(root, file) + + +def get_rule_yaml(file_path: str) -> dict: + data = [] + + with open(file_path, encoding="utf-8") as f: + yaml_parts = yaml.safe_load_all(f) + for part in yaml_parts: + data.append(part) + + return data + + +def get_rule_part(file_path: str, part_name: str): + yaml_dicts = get_rule_yaml(file_path) + for yaml_part in yaml_dicts: + if part_name in yaml_part.keys(): + return yaml_part[part_name] + + return None + + +def get_rules_to_promote(): + today = datetime.today().strftime("%Y/%m/%d") + rules_to_promote = [] + for file in yield_next_rule_file_path(path_to_rules): + status = get_rule_part(file_path=file, part_name="status") + if status: + if status == "experimental": + last_update = "" + date_ = get_rule_part(file_path=file, part_name="date") + modified_ = get_rule_part(file_path=file, part_name="modified") + if modified_: + last_update = modified_ + elif date_: + last_update = date_ + else: + # We assign today as a last option to avoid any errors + last_update = today + + difference = ( + datetime.strptime(today, "%Y/%m/%d") + - datetime.strptime(last_update, "%Y/%m/%d") + ).days + if difference >= 300: + rules_to_promote.append(file) + return rules_to_promote + + +def promote_rules(rules_to_promote): + for file_ in rules_to_promote: + with open(file_, "r", encoding="utf8") as f: + data = f.read().replace("\nstatus: experimental", "\nstatus: test") + + with open(file_, "w", encoding="utf8") as f: + f.write(data) + + +if __name__ == "__main__": + rules_to_promote = get_rules_to_promote() + promote_rules(rules_to_promote) diff --git a/tests/reference-archiver.py b/tests/reference-archiver.py new file mode 100644 index 000000000..0007b6abc --- /dev/null +++ b/tests/reference-archiver.py @@ -0,0 +1,157 @@ +# Author: +# Martin Spielmann / KION Group IT +# Nasreddine Bencherchali / Nextron Systems + +__version__ = "0.0.1" + +import time +import requests +import yaml +import os + + +WEB_ARCHIVE_SAVE_URL = "https://web.archive.org/save/" +WEB_ARCHIVE_GET_URL = "https://web.archive.org/web/" + +with open("tests/rule-references.txt", "r") as f: + RULE_REFERENCES = [i.strip() for i in f.readlines()] + +path_to_rules = [ + "rules", + "rules-emerging-threats", + "rules-placeholder", + "rules-threat-hunting", + "rules-compliance", +] + + +# Helper functions +def yield_next_rule_file_path(path_to_rules: list) -> str: + for path_ in path_to_rules: + for root, _, files in os.walk(path_): + for file in files: + if file.endswith(".yml"): + yield os.path.join(root, file) + + +def get_rule_part(file_path: str, part_name: str): + yaml_dicts = get_rule_yaml(file_path) + for yaml_part in yaml_dicts: + if part_name in yaml_part.keys(): + return yaml_part[part_name] + + return None + + +def get_rule_yaml(file_path: str) -> dict: + data = [] + + with open(file_path, encoding="utf-8") as f: + yaml_parts = yaml.safe_load_all(f) + for part in yaml_parts: + data.append(part) + + return data + + +def get_references(path_to_rules): + ref_list = [] + + for file in yield_next_rule_file_path(path_to_rules): + references = get_rule_part(file_path=file, part_name="references") + if references: + for ref in references: + # To avoid references using "Internal Research" or similar + if ref.startswith("http"): + ref_list.append(ref) + return ref_list + + +def archive_references(ref_list): + error_archiving = [] + already_archived = [] + newly_archived_references = [] + + for ref in ref_list: + try: + archive_response = requests.get(url=WEB_ARCHIVE_GET_URL + ref) + # If the URL is not yet archived, the Wayback Machine returns a 404 response + status_code = archive_response.status_code + if status_code in (200, 301, 302): + # Already archived + already_archived.append(ref) + print("Reference '{}' is already archived".format(ref)) + elif status_code == 403: + # Wayback machine does not have permission to access the reference. + error_archiving.append(ref) + print( + "Wayback Machine got permission denied in the past, when trying to access reference '{}'. Not archiving.".format( + ref + ) + ) + else: + print("Reference '{}' is not archived. Archiving...".format(ref)) + archive_response = requests.post(url=WEB_ARCHIVE_SAVE_URL + ref) + newly_archived_references.append(ref) + + # We sleep so we don't spam the Wayback Machine too much :) + time.sleep(1) + except: + error_archiving.append(ref) + + return already_archived, newly_archived_references, error_archiving + + +if __name__ == "__main__": + print("Archiving references ...\n") + + tmp_ref_list = get_references(path_to_rules) + + # We do an intersection between the full list and the list of references that are already archived + ref_list = list(set(tmp_ref_list) - set(RULE_REFERENCES)) + + already_archived, newly_archived_references, error_archiving = archive_references( + ref_list + ) + + with open("tests/rule-references.txt", "a") as f: + for ref in already_archived: + f.write(ref) + f.write("\n") + + for ref in newly_archived_references: + f.write(ref) + f.write("\n") + + # Write markdown output to open the issue + with open(".github/archiver_output.md", "w") as f: + f.write("---\n") + f.write( + f"title: '\"Reference Archiver Results - {{ date | date('dddd, MMMM Do') }}\"'\n" + ) + f.write("assignees: 'nasbench'\n\n") + f.write("---\n\n") + f.write("### Archiver Script Results\n\n") + + f.write("\n#### Newly Archived References\n\n") + if newly_archived_references: + for ref in newly_archived_references: + f.write(f"- {ref}\n") + else: + f.write("N/A\n") + + f.write("\n#### Already Archived References\n\n") + if already_archived: + for ref in already_archived: + f.write(f"- {ref}\n") + else: + f.write("N/A\n") + + f.write("\n#### Error While Archiving References\n\n") + if error_archiving: + for ref in error_archiving: + f.write(f"- {ref}\n") + else: + f.write("N/A\n") + + print("\nDone.") diff --git a/tests/rule-references.txt b/tests/rule-references.txt new file mode 100644 index 000000000..d0f7a9e0d --- /dev/null +++ b/tests/rule-references.txt @@ -0,0 +1,3410 @@ +https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1 +https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ +https://nmap.org/ +https://twitter.com/jas502n/status/1321416053050667009?s=20 +https://www.gnu.org/software/wget/manual/wget.html +https://twitter.com/Cyb3rWard0g/status/1381642789369286662 +https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax +https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution +https://twitter.com/wugeej/status/1369476795255320580 +https://www.secureworks.com/blog/ransomware-as-a-distraction +https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ +https://github.com/LOLBAS-Project/LOLBAS/issues/243 +https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection +https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +https://twitter.com/gentilkiwi/status/1003236624925413376 +https://www.cobaltstrike.com/help-windows-executable +https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 +https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ +https://twitter.com/dez_/status/986614411711442944 +https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/ +https://github.com/bugch3ck/SharpLdapWhoami +https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 +https://twitter.com/wdormann/status/1679184475677130755 +https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ +https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ +https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html +https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html +https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ +https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs +https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ +https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf +https://seclists.org/fulldisclosure/2023/Jan/1 +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md +https://awakesecurity.com/blog/threat-hunting-for-paexec/ +https://winaero.com/enable-openssh-server-windows-10/ +https://lolbas-project.github.io/lolbas/Libraries/Setupapi/ +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION +https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content +https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +https://redcanary.com/blog/intelligence-insights-april-2022/ +https://twitter.com/Alh4zr3d/status/1566489367232651264 +https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ +https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek +https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt +https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs +https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 +https://twitter.com/orange_8361/status/1518970259868626944 +https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 +https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server +http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html +https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection +https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html +https://thedfirreport.com/2020/06/21/snatch-ransomware/ +https://github.com/wunderwuzzi23/firefox-cookiemonster +https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx +https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 +https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf +https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545 +https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 +https://blog.aquasec.com/container-security-tnt-container-attack +https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp +https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ +https://github.com/bats3c/EvtMute +https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html +https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ +https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html +https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ +https://twitter.com/DidierStevens/status/1217533958096924676 +https://www.joeware.net/freetools/tools/adfind/ +https://lolbas-project.github.io/lolbas/Binaries/Regedit/ +https://en.wikipedia.org/wiki/Nohup +https://nullsec.us/windows-event-log-audit-cve/ +https://rules.sonarsource.com/java/RSPEC-2755 +https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html +https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ +https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308 +https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01 +https://nvd.nist.gov/vuln/detail/cve-2021-34527 +https://gist.github.com/Capybara/6228955 +https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ +https://windows-internals.com/faxing-your-way-to-system/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib +https://twitter.com/Max_Mal_/status/1633863678909874176 +https://github.com/OTRF/detection-hackathon-apt29/issues/1 +https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer +https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign +https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ +https://pentestlab.blog/2017/04/13/hot-potato/ +https://github.com/3proxy/3proxy +https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 +https://gtfobins.github.io/gtfobins/vim/ +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 +https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 +http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html +https://isc.sans.edu/diary/More+Data+Exfiltration/25698 +https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0 +https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html +https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ +https://github.com/HuskyHacks/ShadowSteal +https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html +https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg +https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ +https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 +https://ss64.com/osx/dscl.html +https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ +https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ +https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ +https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ +https://github.com/tevora-threat/SharpView/ +https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md +https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76 +https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ +https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ +https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat +https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ +https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone +https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe +https://twitter.com/vxunderground/status/1423336151860002816?s=20 +https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/ +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia +https://adsecurity.org/?p=1772 +https://github.com/EddieIvan01/iox +https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ +https://github.com/FireFart/hivenightmare +https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html +https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html +https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite +https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 +https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 +https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc +https://twitter.com/shutingrz/status/1469255861394866177?s=21 +https://github.com/GhostPack/Certify +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation +https://github.com/mandiant/SharPersist +https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml +https://github.com/tccontre/Reg-Restore-Persistence-Mole +https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump +https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ +https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update +https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/ +https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ +https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide +https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/ +https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ +https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +https://persistence-info.github.io/Data/diskcleanuphandler.html +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task +https://tools.ietf.org/html/rfc2929#section-2.1 +https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/ +https://blog.xpnsec.com/exploring-mimikatz-part-1/ +https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63 +https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md +https://twitter.com/0gtweet/status/1457676633809330184 +https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ +https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html +https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea +https://twitter.com/mttaggart/status/1511804863293784064 +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil +https://www.manpagez.com/man/8/firmwarepasswd/ +https://linuxhint.com/uninstall-debian-packages/ +https://github.com/Hackndo/lsassy +https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC +https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script +https://github.com/antonioCoco/RogueWinRM +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream +https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c +https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos +https://docs.microsoft.com/en-us/sysinternals/downloads/psservice +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic +https://www.lunasec.io/docs/blog/log4j-zero-day/ +https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab +https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer +https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md +https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html +https://github.com/ly4k/Certipy +https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +https://docs.microsoft.com/en-us/sysinternals/downloads/psexec +https://linux.die.net/man/1/import +https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ +https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444 +https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +https://isc.sans.edu/diary/22264 +https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ +https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 +https://github.com/LOLBAS-Project/LOLBAS/pull/239 +https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone +https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ +https://ss64.com/nt/for.html +https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access +https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts +https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control +https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf +https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe +https://twitter.com/egre55/status/1087685529016193025 +https://twitter.com/_felamos/status/1179811992841797632 +https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ +https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 +https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md +http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ +https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +https://github.com/boku7/injectAmsiBypass +https://labs.withsecure.com/publications/fin7-target-veeam-servers +https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ +https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html +https://twitter.com/SBousseaden/status/1211636381086339073 +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html +https://atomicredteam.io/defense-evasion/T1220/ +https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ +https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community +https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823 +https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae +https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html +http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html +https://twitter.com/cglyer/status/1182391019633029120 +https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf +https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py +https://redcanary.com/blog/intelligence-insights-november-2021/ +https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf +https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726 +https://github.com/fox-it/LDAPFragger +https://twitter.com/RedDrip7/status/1506480588827467785 +https://github.com/decoder-it/LocalPotato +https://twitter.com/Oddvarmoe/status/1270633613449723905 +https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection +https://www.revshells.com/ +https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic +https://github.com/sleventyeleven/linuxprivchecker/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md +https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ +https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ +https://github.com/dagwieers/vsftpd/ +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role +https://emkc.org/s/RJjuLa +https://lolbas-project.github.io/lolbas/Binaries/Certutil/ +https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661 +https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf +https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall +https://blog.lexfo.fr/Forensics-xortigate-notice.html +https://adepts.of0x.cc/netsh-portproxy-code/ +https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ +https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/ +https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior +https://twitter.com/shantanukhande/status/1229348874298388484 +https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html +https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ +https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html +https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ +https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 +https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ +https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ +https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/ +https://lolbas-project.github.io/lolbas/Binaries/Ilasm/ +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md +https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ +https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf +https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf +https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 +https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware +https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml +https://github.com/NetSPI/PowerUpSQL +https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html +https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci +https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html +https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps +https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 +https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation +https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats +https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ +https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup +https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46 +https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html +https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon +https://securelist.com/apt-slingshot/84312/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ +https://twitter.com/nas_bench/status/1537563834478645252 +https://twitter.com/httpvoid0x2f/status/1532924261035384832 +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address +https://www.echotrail.io/insights/search/mshta.exe +https://www.echotrail.io/insights/search/defaultpack.exe +https://mobile.twitter.com/0gtweet/status/1564131230941122561 +https://github.com/Yaxser/Backstab +https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ +https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +https://github.com/last-byte/PersistenceSniper +https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content +https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 +https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend +https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets +https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html +https://ss64.com/nt/logman.html +https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ +https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/ +https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420 +https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html +https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 +https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25 +https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ +https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW +https://codewhitesec.blogspot.com/2018/07/lethalhta.html +https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment +https://www.packetlabs.net/posts/clipboard-data-security/ +https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md +https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole +https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ +https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5 +https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml +https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/ +https://twitter.com/nas_bench/status/1618021838407495681 +https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments +https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb +https://posts.specterops.io/covenant-v0-5-eee0507b85ba +https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter +https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection +https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html +https://twitter.com/0gtweet/status/1477925112561209344 +https://attack.mitre.org/software/S0404/ +https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ +https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml +https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ +https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ +https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +https://github.com/Porchetta-Industries/CrackMapExec +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md +https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html +https://github.com/CsEnox/EventViewer-UACBypass +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 +https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection +https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c +https://www.secura.com/blog/zero-logon +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md +https://www.echotrail.io/insights/search/wermgr.exe +https://github.com/harleyQu1nn/AggressorScripts +https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ +https://github.com/calebstewart/CVE-2021-1675 +https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c +https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass +http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt +https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +https://twitter.com/chadtilbury/status/1275851297770610688 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http +https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll +https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md +https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html +https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent +https://twitter.com/0gtweet/status/1182516740955226112 +https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/ +https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ +https://github.com/med0x2e/vba2clr +https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 +https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent +https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts +https://kb.cert.org/vuls/id/843464 +https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ +https://pentestlab.blog/tag/ntds-dit/ +https://www.secureworks.com/research/shadowpad-malware-analysis +https://lolbas-project.github.io/lolbas/Binaries/Ssh/ +https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ +https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ +https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting +https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution +https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html +https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +https://lolbas-project.github.io/lolbas/Binaries/Jsc/ +https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows +https://dzone.com/articles/remote-debugging-java-applications-with-jdwp +https://twitter.com/Cyb3rWard0g/status/1453123054243024897 +http://guides.rubyonrails.org/action_controller_overview.html +https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md +https://www.gpg4win.de/documentation.html +https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos +https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ +https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ +https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation +https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md +https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md +https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c +https://linux.die.net/man/1/chage +https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup +https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ +https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects +https://docs.djangoproject.com/en/1.11/topics/logging/#django-security +https://github.com/Neo23x0/auditd +https://redcanary.com/threat-detection-report/threats/cobalt-strike/ +https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ +https://o365blog.com/post/hybridhealthagent/ +https://www.zoocoup.org/casper/jamf_cheatsheet.pdf +https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf +https://github.com/danielbohannon/Invoke-Obfuscation +https://twitter.com/n1nj4sec/status/1421190238081277959 +https://f5.pm/go-59627.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md +https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit +https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57 +https://nxlog.co/documentation/nxlog-user-guide/applocker.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md +https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ +https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ +https://twitter.com/mrd0x/status/1460597833917251595 +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +https://twitter.com/harr0ey/status/991670870384021504 +https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md +https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md +https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf +https://github.com/fatedier/frp +https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md +https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html +https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md +https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 +https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows +https://cloud.google.com/kubernetes-engine/docs +http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp +https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 +https://nvd.nist.gov/vuln/detail/cve-2021-1675 +https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png +https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +https://github.com/GhostPack/SafetyKatz +https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/ +https://corelight.com/blog/detecting-cve-2021-42292 +https://lolbas-project.github.io/lolbas/Binaries/Regini/ +https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables +https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS +https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ +https://www.powershellgallery.com/packages/DSInternals +https://github.com/JoelGMSec/PSAsyncShell +https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d +https://github.com/bats3c/ADCSPwn +https://twitter.com/splinter_code/status/1420546784250769408 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script +https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file +https://github.com/LOLBAS-Project/LOLBAS/pull/211/files +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md +https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ +https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html +https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ +https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies +https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process +https://twitter.com/mrd0x/status/1478116126005641220 +https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf +https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb +https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell +https://digital.nhs.uk/cyber-alerts/2018/cc-2825 +https://redcanary.com/blog/mac-application-bundles/ +https://github.com/mdsecactivebreach/CACTUSTORCH +https://twitter.com/cyb3rops/status/1168863899531132929 +https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html +https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md +https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 +https://pentestlab.blog/2020/07/06/indirect-command-execution/ +https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md +https://persistence-info.github.io/Data/aedebug.html +https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw +https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ +https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml +https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf +https://github.com/vanhauser-thc/thc-hydra +https://developer.okta.com/docs/reference/api/event-types/ +https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings +https://github.com/payloadbox/sql-injection-payload-list +https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia +https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege +https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins +https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ +https://developer.okta.com/docs/reference/api/system-log/ +https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF +https://github.com/sensepost/ruler +https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection +https://github.com/Neo23x0/Raccine +https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md +https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 +https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md +https://twitter.com/matthewdunwoody/status/1352356685982146562 +https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east +https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore +https://github.com/hieuminhnv/CVE-2022-21587-POC +https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507 +https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass +https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ +https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s +https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ +https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ +https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html +https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ +https://github.com/darrenmartyn/VisualDoor +https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ +https://jpcertcc.github.io/ToolAnalysisResultSheet +https://sysdig.com/blog/mitre-defense-evasion-falco +https://twitter.com/GelosSnake/status/934900723426439170 +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine +https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse +https://www.d7xtech.com/free-software/runx/ +https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/ +https://thedfirreport.com/2020/05/08/adfind-recon/ +https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ +https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace +https://twitter.com/0gtweet/status/1465282548494487554 +https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/ +https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 +https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md +https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png +https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 +https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt +https://twitter.com/_vivami/status/1347925307643355138 +https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html +https://firewalld.org/documentation/man-pages/firewall-cmd.html +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +https://twitter.com/neonprimetime/status/1435584010202255375 +https://artkond.com/2017/03/23/pivoting-guide/ +https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more +https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx +https://github.com/codewhitesec/SysmonEnte/ +https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ +https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm +http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier +https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ +https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +https://redcanary.com/blog/raspberry-robin/ +https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r +https://twitter.com/NinjaParanoid/status/1516442028963659777 +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles +https://www.mandiant.com/resources/russian-targeting-gov-business +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/ +https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files +https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation +http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/ +https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe +https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743 +https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz +https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 +https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ +https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html +https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml +https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 +https://lolbas-project.github.io/lolbas/Binaries/Bash/ +https://seclists.org/fulldisclosure/2020/Mar/45 +https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx +https://www.roboform.com/ +https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 +https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf +https://github.com/carlospolop/PEASS-ng +https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps +https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- +https://objective-see.org/blog/blog_0x68.html +https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md +https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110 +https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html +https://www.hvs-consulting.de/lazarus-report/ +https://unicode-explorer.com/c/202E +https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ +https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/ +https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +https://thedfirreport.com/2021/12/13/diavol-ransomware/ +https://blog.alyac.co.kr/1901 +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +https://twitter.com/harr0ey/status/989617817849876488 +https://twitter.com/sudo_sudoka/status/1323951871078223874 +https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ +https://twitter.com/Moriarty_Meng/status/984380793383370752 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md +http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass +https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2 +https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml +https://www.cisa.gov/uscert/ncas/alerts/aa22-321a +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 +http://addbalance.com/word/startup.htm +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture +https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 +https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml +https://linux.die.net/man/1/truncate +https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/ +https://lolbas-project.github.io/lolbas/Binaries/Winget/ +https://twitter.com/mvelazco/status/1410291741241102338 +https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f +https://threadreaderapp.com/thread/1533879688141086720.html +https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders +https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ +https://aboutdfir.com/the-key-to-identify-psexec/ +https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell +https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1 +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 +https://www.localpotato.com/localpotato_html/LocalPotato.html +https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html +https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml +https://github.com/SigmaHQ/sigma/pull/4467 +https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html +https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html +https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF +https://vms.drweb.fr/virus/?i=24144899 +https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html +https://github.com/samratashok/ADModule +https://persistence-info.github.io/Data/recyclebin.html +https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm +https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ +https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ +https://github.com/BloodHoundAD/SharpHound +https://twitter.com/BleepinComputer/status/1372218235949617161 +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 +https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 +https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package +https://github.com/zcgonvh/NTDSDumpEx +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md +https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ +https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ +https://www.manpagez.com/man/8/PlistBuddy/ +https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers +https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product +https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md +https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ +https://blog.talosintelligence.com/2017/05/wannacry.html +https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 +https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/ +https://adsecurity.org/?p=1714 +https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile +https://taggart-tech.com/quasar-electron/ +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 +https://bidouillesecurity.com/disable-windows-defender-in-powershell/ +https://twitter.com/Z3Jpa29z/status/1317545798981324801 +https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ +https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ +https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md +https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest +https://research.checkpoint.com/2020/apache-guacamole-rce/ +https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +https://persistence-info.github.io/Data/autodialdll.html +https://brightsec.com/blog/sql-injection-payloads/ +https://bunnyinside.com/?term=f71e8cb9c76a +https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index +https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html +https://deviceatlas.com/blog/list-of-user-agent-strings#desktop +https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos +https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks +https://core.telegram.org/bots/faq +https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html +https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html +https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638 +https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html +https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +https://github.com/LOLBAS-Project/LOLBAS/pull/238/files +https://labs.watchtowr.com/xortigate-or-cve-2023-27997/ +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964 +https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ +https://linux.die.net/man/8/groupdel +https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html +https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed +https://twitter.com/Sam0x90/status/1552011547974696960 +http://www.sqlinjection.net/errors +https://blogs.blackberry.com/ +https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1 +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md +https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows +https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ +https://redcanary.com/blog/intelligence-insights-october-2021/ +https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html +https://twitter.com/hakluke/status/1587733971814977537/photo/1 +https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web +https://twitter.com/subTee/status/1216465628946563073 +https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 +https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/ +https://twitter.com/ShadowChasing1/status/1552595370961944576 +https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks +https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe +https://twitter.com/ptswarm/status/1445376079548624899 +https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password +https://github.com/ly4k/SpoolFool +https://github.com/Wh04m1001/IDiagnosticProfileUAC +https://docs.aws.amazon.com/cli/latest/reference/securityhub/ +https://github.com/elastic/detection-rules/pull/1267 +http://www.botopedia.org/search?searchword=scan&searchphrase=all +https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html +https://github.com/FortyNorthSecurity/WMImplant +http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp +https://www.uptycs.com/blog/lolbins-are-no-laughing-matter +https://lolbas-project.github.io/lolbas/Binaries/Msiexec/ +https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit +https://twitter.com/_nullbind/status/1204923340810543109 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md +https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter +https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf +https://antgarsil.github.io/posts/velocity/ +https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration +https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html +https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/ +https://www.poolwatch.io/coin/monero +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md +https://twitter.com/_xpn_/status/1268712093928378368 +https://sourceforge.net/projects/mouselock/ +https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ +https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection +https://ngrok.com/ +https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html +https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ +https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ +https://twitter.com/_xpn_/status/1491557187168178176 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python +https://twitter.com/_felamos/status/1204705548668555264 +https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7 +https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ +https://github.com/zcgonvh/EfsPotato +https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign +https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ +https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ +https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 +https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ +https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol +https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md +https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social +https://blog.skyplabs.net/posts/container-detection/ +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md +https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 +https://www.echotrail.io/insights/search/wusa.exe/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store +https://gtfobins.github.io/gtfobins/wget/ +https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) +https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries +https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml +https://github.com/looCiprian/GC2-sheet +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/ +https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md +https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks +https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime +https://any-api.com/googleapis_com/compute/docs/vpnTunnels +https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges +https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3 +https://twitter.com/nas_bench/status/1535663791362519040 +https://dmaasland.github.io/posts/citrix.html +https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d +https://docs.microsoft.com/en-us/windows/win32/shell/launch +https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 +https://twitter.com/jonasLyk/status/1555914501802921984 +https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns +https://twitter.com/WhichbufferArda/status/1543900539280293889 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service +https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +https://docs.python.org/3/using/cmdline.html#cmdoption-c +https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm +https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md +https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py +https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md +https://twitter.com/Al1ex4/status/1382981479727128580 +https://www.qualys.com/2021/05/04/21nails/21nails.txt +https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ +https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ +https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/ +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +https://twitter.com/_st0pp3r_/status/1583914244344799235 +https://github.com/boku7/spawn +https://github.com/OTRF/detection-hackathon-apt29 +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md +https://twitter.com/blackorbird/status/1140519090961825792 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note +https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0 +https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 +https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ +https://lolbas-project.github.io/lolbas/Binaries/Setres/ +https://github.com/p0dalirius/LDAPmonitor +https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ +https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/ +https://twitter.com/malmoeb/status/1525901219247845376 +https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml +https://twitter.com/duff22b/status/1280166329660497920 +https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 +https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +https://securelist.com/muddywater/88059/ +https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ +https://thewover.github.io/Introducing-Donut/ +https://github.com/krmaxwell/dns-exfiltration +https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows +https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf +https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ +https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address +https://twitter.com/cyb3rops/status/1063072865992523776 +https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting +https://twitter.com/Oddvarmoe/status/1641712700605513729 +https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ +https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 +https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html +https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_ +https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ +https://www.ietf.org/rfc/rfc2821.txt +https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone +https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ +https://man.openbsd.org/ssh_config#LocalCommand +https://nvd.nist.gov/vuln/detail/CVE-2023-2283 +https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ +https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords +https://twitter.com/SBousseaden/status/1410545674773467140 +https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= +https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ +https://twitter.com/timbmsft/status/900724491076214784 +https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md +https://twitter.com/SBousseaden/status/1183745981189427200 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell +https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md +https://twitter.com/gN3mes1s/status/1222095371175911424 +https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml +https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ +https://twitter.com/malwrhunterteam/status/1235135745611960321 +https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ +https://github.com/GossiTheDog/HiveNightmare +https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ +https://twitter.com/mrd0x/status/1461041276514623491 +https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md +https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log +https://www.yeahhub.com/list-installed-programs-version-path-windows/ +https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception +https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ +https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet +https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon +https://man7.org/linux/man-pages/man1/ncat.1.html +https://github.com/pimps/JNDI-Exploit-Kit +https://ss64.com/nt/syntax-redirection.html +https://www.poweradmin.com/paexec/ +https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr +https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task +https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx +https://github.com/GhostPack/Seatbelt +https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection +https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ +https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country +https://github.com/sensepost/reGeorg +https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ +https://www.activecyber.us/activelabs/windows-uac-bypass +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md +https://github.com/sensepost/ruler/issues/47 +https://any-api.com/amazonaws_com/eks/docs/API_Description +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension +https://twitter.com/SBousseaden/status/1581300963650187264? +https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 +https://www.scythe.io/library/threat-emulation-qakbot +https://twitter.com/Wietze/status/1542107456507203586 +https://twitter.com/ankit_anubhav/status/1518835408502620162 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry +https://twitter.com/pabraeken/status/990717080805789697 +https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04 +https://twitter.com/JohnLaTwC/status/1082851155481288706 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md +https://github.com/pathtofile/bad-bpf +https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md +https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ +https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua +https://hijacklibs.net/ +https://www.joesandbox.com/analysis/790122/0/html +https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +https://twitter.com/mrd0x/status/1480785527901204481 +https://twitter.com/oroneequalsone/status/1568432028361830402 +https://cobalt.io/blog/kerberoast-attack-techniques +https://github.com/Maka8ka/NGLite +https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ +https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete +https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/ +https://positive.security/blog/ms-officecmd-rce +https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ +https://github.com/gtworek/PSBits/tree/master/SIP +https://threatpost.com/microsoft-petitpotam-poc/168163/ +https://book.hacktricks.xyz/pentesting-web/file-inclusion +https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js +https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid +https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg +https://xmrig.com/docs/miner/command-line-options +https://twitter.com/mattifestation/status/1326228491302563846 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time +https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html +https://github.com/skelsec/pypykatz +https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations +https://twitter.com/tifkin_/status/1321916444557365248 +https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d +https://lolbas-project.github.io/lolbas/Libraries/Desk/ +https://ss64.com/osx/osacompile.html +https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/ +https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md +https://github.com/pr0xylife/Qakbot/ +https://github.com/mvelazc0/PurpleSharp +https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild +https://twitter.com/aboul3la/status/1286012324722155525 +https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 +https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ +https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ +https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 +https://labs.withsecure.com/publications/detecting-onenote-abuse +https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ +https://www.us-cert.gov/ncas/analysis-reports/AR18-312A +https://linuxhint.com/uninstall_yum_package/ +https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core +https://twitter.com/johnlatwc/status/1408062131321270282?s=12 +https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md +https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc +https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html +https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics +https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell +https://github.com/shantanu561993/SharpChisel +http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +https://twitter.com/0gtweet/status/1281103918693482496 +https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d +https://www.justice.gov/file/1080281/download +https://twitter.com/kagancapar/status/1515219358234161153 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image +https://github.com/cloudflare/cloudflared +https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ +https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 +https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ +https://lab52.io/blog/2344-2/ +https://twitter.com/neonprimetime/status/1436376497980428318 +https://twitter.com/h4x0r_dz/status/1445401960371429381 +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 +https://twitter.com/SBousseaden/status/1090588499517079552 +https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0 +https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 +https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS +https://github.com/hfiref0x/UACME +https://www.sygnia.co/golden-saml-advisory +https://github.com/Dec0ne/KrbRelayUp +https://twitter.com/EmericNasi/status/1623224526220804098 +https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +https://github.com/Wh04m1001/SysmonEoP +https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 +https://redcanary.com/threat-detection-report/ +https://github.com/Shellntel/scripts/ +https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ +https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ +https://github.com/jpillora/chisel/ +https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html +https://unit42.paloaltonetworks.com/bluesky-ransomware/ +https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ +https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html +https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs +https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ +https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military +https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +https://twitter.com/bohops/status/1583916360404729857 +https://twitter.com/0gtweet/status/1359039665232306183?s=21 +https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files +https://twitter.com/nas_bench/status/1537896324837781506 +https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html +https://support.anydesk.com/Automatic_Deployment +https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass +https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade- +https://twitter.com/deviouspolack/status/832535435960209408 +https://www.youtube.com/watch?v=DLtJTxMWZ2o +https://twitter.com/Purp1eW0lf/status/1616144561965002752 +https://kb.vmware.com/s/article/85717 +http://www.securityfocus.com/infocus/1633 +https://github.com/Ridter/cve-2020-0688 +https://youtu.be/5mqid-7zp8k?t=2481 +https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps +https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html +https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool +https://twitter.com/SBousseaden/status/1207671369963646976 +https://man7.org/linux/man-pages/man8/kmod.8.html +https://twitter.com/_dirkjan/status/1309214379003588608 +https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ +https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b +https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ +https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo +https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 +https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ +https://car.mitre.org/wiki/CAR-2013-05-002 +https://redcanary.com/blog/right-to-left-override/ +https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html +https://twitter.com/wdormann/status/1478011052130459653?s=20 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell +https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 +https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ +https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ +https://github.com/OTRF/detection-hackathon-apt29/issues/14 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md +https://twitter.com/mattifestation/status/986280382042595328 +https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md +https://github.com/Wh04m1001/CVE-2023-36874 +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec +https://twitter.com/Hexacorn/status/1224848930795552769 +https://twitter.com/aceresponder/status/1636116096506818562 +https://twitter.com/bh4b3sh/status/1303674603819081728 +https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ +https://twitter.com/gN3mes1s/status/941315826107510784 +https://twitter.com/menasec1/status/1111556090137903104 +https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634 +https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ +https://github.com/LOLBAS-Project/LOLBAS/pull/239/files +https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ +https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 +https://twitter.com/Gal_B1t/status/1062971006078345217 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md +https://github.com/adrecon/AzureADRecon +https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps +https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html +https://twitter.com/am0nsec/status/1412232114980982787 +https://bad-jubies.github.io/RCE-NOW-WHAT/ +https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py +https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md +https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md +https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set +https://isc.sans.edu/diary/25686 +https://attack.mitre.org/techniques/T1064 +https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md +https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries +https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations +https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk +https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker +https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md +https://www.computerhope.com/unix/unohup.htm +https://github.com/FireFart/hivenightmare/ +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md +https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm +https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg +https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html +https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft +https://github.com/antonioCoco/JuicyPotatoNG +https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html +https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis +https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html +https://labs.f-secure.com/blog/prelude-to-ransomware-systembc +https://twitter.com/gN3mes1s/status/1222095963789111296 +https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/ +https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/ +https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb +https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9 +https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7 +https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst +https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ +https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ +https://github.com/kavika13/RemCom +https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ +https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md +https://perishablepress.com/blacklist/ua-2013.txt +https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html +https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ +https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ +https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 +https://learn.microsoft.com/en-us/windows/wsl/install-on-server +https://twitter.com/rikvduijn/status/853251879320662017 +https://redmimicry.com +https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods +https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a +https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html +https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 +https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap +https://breakdev.org/pwndrop/ +https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html +https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg +https://lolbas-project.github.io/lolbas/Binaries/Wsreset +https://www.mandiant.com/resources/evolution-of-fin7 +https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ +https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection +https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna +https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb +https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md +https://linux.die.net/man/1/bash +https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +https://pypi.org/project/scapy/ +https://www.advanced-port-scanner.com/ +https://twitter.com/wdormann/status/1347958161609809921 +https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/ +https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware +https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html +https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance +https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md +https://twitter.com/200_okay_/status/1194765831911215104 +https://blog.alsid.eu/dcshadow-explained-4510f52fc19d +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +https://twitter.com/christophetd/status/1164506034720952320 +https://content.fireeye.com/apt-41/rpt-apt41 +https://unit42.paloaltonetworks.com/ransomware-families/ +https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 +https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +https://man7.org/linux/man-pages/man8/ld.so.8.html +https://twitter.com/PhilipTsukerman/status/992021361106268161 +https://twitter.com/nas_bench/status/1534916659676422152 +https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ +https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ +https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html +https://twitter.com/mgreen27/status/1558223256704122882 +https://twitter.com/oulusoyum/status/1191329746069655553 +https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 +https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ +https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ +https://persistence-info.github.io/Data/userinitmprlogonscript.html +https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/ +https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar +https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ +https://attack.mitre.org/techniques/T1090/ +https://labs.f-secure.com/blog/scheduled-task-tampering/ +https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e +https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 +https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/ +https://github.com/BloodHoundAD/BloodHound +https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9 +https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +https://linuxhint.com/view-tomcat-logs-windows/ +https://twitter.com/matthieugarin/status/1183970598210412546 +https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 +https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +https://twitter.com/nas_bench/status/1537919885031772161 +https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ +https://twitter.com/cyb3rops/status/1552932770464292864 +https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ +https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +https://www.openwall.com/lists/oss-security/2019/10/14/1 +https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection +https://blog.reconinfosec.com/emergence-of-akira-ransomware-group +https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ +https://github.com/winsiderss/systeminformer +https://twitter.com/cglyer/status/1355171195654709249 +https://github.com/mitre-attack/bzar#indicators-for-attck-execution +https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 +https://github.com/LandGrey/CVE-2018-2894 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd +https://twitter.com/Moti_B/status/1008587936735035392 +https://twitter.com/pyn3rd/status/1020620932967223296 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md +https://github.com/matterpreter/DefenderCheck +https://twitter.com/SBousseaden/status/1490608838701166596 +https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services +https://twitter.com/nas_bench/status/1433344116071583746 +https://github.com/Gui774ume/ebpfkit +https://twitter.com/duzvik/status/1269671601852813320 +https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility +https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ +https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py +https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte +https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt +https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ +https://github.com/topotam/PetitPotam +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib +https://github.com/ohpe/juicy-potato +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN +https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 +https://www.makeuseof.com/how-to-install-and-use-doas/ +https://persistence-info.github.io/Data/htmlhelpauthor.html +https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html +https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ +https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html +https://support.citrix.com/article/CTX267679 +https://twitter.com/ber_m1ng/status/1397948048135778309 +https://kubernetes.io/docs/concepts/workloads/controllers/job/ +https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network +https://twitter.com/0gtweet/status/1476286368385019906 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md +https://githubmemory.com/repo/FunctFan/JNDIExploit +https://redcanary.com/blog/child-processes/ +https://twitter.com/inversecos/status/1494174785621819397 +https://adsecurity.org/?p=3466 +https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html +https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b +https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ +https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows +https://www.blumira.com/cve-2023-2283/ +https://twitter.com/cyb3rops/status/1562072617552678912 +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 +https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 +https://twitter.com/SBousseaden/status/1387530414185664538 +https://github.com/Gerenios/AADInternals +https://github.com/murataydemir/CVE-2021-27905 +https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ +https://github.com/mgeeky/Stracciatella +https://twitter.com/JohnLaTwC/status/835149808817991680 +https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml +https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments +https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ +https://dtm.uk/wuauclt/ +https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets +https://twitter.com/filip_dragovic/status/1590104354727436290 +https://github.com/defaultnamehere/cookie_crimes/ +https://twitter.com/Hexacorn/status/776122138063409152 +https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ +https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +https://lolbas-project.github.io/lolbas/Binaries/Wmic/ +https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 +https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf +https://nmap.org/ncat/ +https://twitter.com/j0nh4t/status/1429049506021138437 +https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ +https://github.com/rapid7/metasploit-framework/pull/17407 +https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc +https://twitter.com/KevTheHermit/status/1410203844064301056 +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) +https://msdn.microsoft.com/en-us/library/cc220234.aspx +https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg +https://github.com/HiwinCN/HTran +https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +http://edgeguides.rubyonrails.org/security.html +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +https://twitter.com/vysecurity/status/873181705024266241 +https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ +https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html +https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ +https://www.fortiguard.com/threat-signal-report/4718?s=09 +https://learn.microsoft.com/en-us/windows/win32/shell/csidl +https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ +https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 +https://book.hacktricks.xyz/shells/shells/linux +https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md +https://persistence-info.github.io/Data/mpnotify.html +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 +https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/ +https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt +https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file +https://www.dfirnotes.net/portproxy_detection/ +https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd +https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 +https://twitter.com/dottor_morte/status/1544652325570191361 +https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html +https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview +https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations +https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md +https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 +https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 +https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors +https://ss64.com/osx/dsenableroot.html +https://twitter.com/gN3mes1s/status/1222088214581825540 +https://github.com/kagancapar/CVE-2022-29072 +https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 +https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ +https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf +https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ +https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ +https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect +https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png +https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py +https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks +https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/ +https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ +https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31 +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent +https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ +https://twitter.com/nas_bench/status/1535981653239255040 +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware +https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ +https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount +https://twitter.com/momika233/status/1626464189261942786 +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11) +https://twitter.com/0gtweet/status/1583356502340870144 +https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html +https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp +https://github.com/M2Team/Privexec/ +https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html +https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9 +https://github.com/quarkslab/quarkspwdump +https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus +https://twitter.com/SBousseaden/status/1387743867663958021 +https://twitter.com/nas_bench/status/1618021415852335105 +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49 +https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ +https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427 +https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ +https://github.com/vu-ls/Crassus +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 +https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin +https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 +https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +https://github.com/surya-dev-singh/AmsiBypass-OpenSession +https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 +https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 +https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller +https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all +https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles +https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise +https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large +https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ +https://www.virustotal.com/gui/search/metadata%253ACube0x0/files +https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ +https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al +https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ +https://twitter.com/SecurityJosh/status/1283027365770276866 +https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html +https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/ +http://www.gmer.net/ +https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ +https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ +https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials +https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 +https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies +https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/ +https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ +https://www.lexjansen.com/sesug/1993/SESUG93035.pdf +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist +https://github.com/S12cybersecurity/RDPCredentialStealer +https://twitter.com/0gtweet/status/1638069413717975046 +https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 +https://twitter.com/lefterispan/status/1286259016436514816 +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes +https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ +https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md +https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py +https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf +https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process +https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins +https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf +https://redcanary.com/blog/misbehaving-rats/ +https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior +https://reaqta.com/2017/11/short-journey-darkvnc/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini +https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ +https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content +https://lolbas-project.github.io/lolbas/Binaries/Cmstp/ +https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat +https://objective-see.org/blog/blog_0x4B.html +https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ +https://youtu.be/7aemGhaE9ds?t=641 +https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ +https://twitter.com/elliotkillick/status/1449812843772227588 +https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ +https://en.wikipedia.org/wiki/HTML_Application +https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ +https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 +https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md +https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ +https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231 +https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa +https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings +https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ +https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ +https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ +https://github.com/electron/rcedit +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ +https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ +https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen +https://twitter.com/nas_bench/status/1550836225652686848 +https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml +https://github.com/arget13/DDexec +https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html +https://github.com/Arno0x/DNSExfiltrator +https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ +https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html +https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 +https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE +https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/ +https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ +https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 +https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ +https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ +https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method +https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md +https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 +https://forensafe.com/blogs/typedpaths.html +https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465 +https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +https://twitter.com/crep1x/status/1635034100213112833 +https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html +https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions +https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 +https://github.com/netero1010/TrustedPath-UACBypass-BOF +https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283 +https://twitter.com/breakersall/status/1533493587828260866 +https://github.com/Neo23x0/Raccine#the-process +https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ +https://github.com/deepinstinct/Lsass-Shtinkering +https://t.co/ezOTGy1a1G +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md +https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil +https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local +https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 +https://attack.mitre.org/groups/G0010/ +https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html +https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ +https://lolbas-project.github.io/lolbas/Binaries/Vbc/ +https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/ +https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +https://redmimicry.com/posts/redmimicry-winnti/ +https://securelist.com/my-name-is-dtrack/93338/ +https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ +https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ +http://www.powertheshell.com/ntfsstreams/ +https://pentestlaboratories.com/2021/12/08/process-ghosting/ +https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf +https://github.com/GhostPack/KeeThief +https://twitter.com/SBousseaden/status/1541920424635912196 +https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest +https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html +https://twitter.com/malmoeb/status/1511760068743766026 +https://github.com/SigmaHQ/sigma/pull/3946 +https://twitter.com/Moti_B/status/909449115477659651 +https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ +https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 +https://twitter.com/malmoeb/status/1535142803075960832 +https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +https://twitter.com/Flangvik/status/1283054508084473861 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute +https://twitter.com/cglyer/status/1182389676876980224 +https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ +https://twitter.com/mrd0x/status/1479094189048713219 +https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332 +https://twitter.com/SwiftOnSecurity/status/1455897435063074824 +https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 +https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall +https://www.python.org/dev/peps/pep-0249/#exceptions +https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html +https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC +https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/ +https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/ +https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html +https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties +https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control +https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml +https://nvd.nist.gov/vuln/detail/CVE-2021-26084 +https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ +https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events +https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html +https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 +https://twitter.com/DrunkBinary/status/1063075530180886529 +https://twitter.com/frack113/status/1555830623633375232 +https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +https://forensicitguy.github.io/agenttesla-vba-certutil-download/ +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 +https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry +https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html +https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml +https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html +https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 +https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +https://github.com/cube0x0/KrbRelay +https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/ +https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ +https://github.com/danielbohannon/Invoke-DOSfuscation +https://man7.org/linux/man-pages/man8/getcap.8.html +https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e +https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement +https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode +https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 +https://twitter.com/SBousseaden/status/1195284233729777665 +https://twitter.com/0gtweet/status/1354766164166115331 +https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling +https://twitter.com/jonasLyk/status/1347900440000811010 +https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ +https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ +https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c +https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps +https://github.com/denandz/KeeFarce +https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +https://www.mandiant.com/resources/blog/infected-usb-steal-secrets +https://twitter.com/ForensicITGuy/status/1334734244120309760 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp +https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb +https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ +https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g +https://reaqta.com/2017/12/mavinject-microsoft-injector/ +https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ +https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 +https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic +https://www.spamhaus.org/statistics/tlds/ +https://sec.okta.com/fastpassphishingdetection +https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/ +https://lolbas-project.github.io/lolbas/Binaries/Verclsid/ +https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ +https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ +https://www.epicturla.com/blog/sysinturla +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command +https://twitter.com/0gtweet/status/1560732860935729152 +https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f +https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ +https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165 +https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3 +https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/ +https://abuse.io/lockergoga.txt +https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation +https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery +https://twitter.com/mrd0x/status/1511415432888131586 +https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server +https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension +https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml +https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ +https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md +https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html +https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 +https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy +https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist +https://docs.microsoft.com/en-us/azure/dns/dns-zones-records +https://github.com/LOLBAS-Project/LOLBAS/pull/264 +https://infosec.exchange/@sbousseaden/109542254124022664 +https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml +https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism +https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml +https://www.cisecurity.org/controls/cis-controls-list/ +https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services +https://twitter.com/cyb3rops/status/972186477512839170 +https://twitter.com/MalwareJake/status/870349480356454401 +https://www.glitch-cat.com/p/green-lambert-and-attack +https://www.passcape.com/windows_password_recovery_dpapi_credhist +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 +https://twitter.com/pfiatde/status/1681977680688738305 +https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html +https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan +https://lolbas-project.github.io +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md +https://redcanary.com/blog/rclone-mega-extortion/ +https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ +https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ +https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ +https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html +https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ +https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ +https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ +https://lolbas-project.github.io/lolbas/Scripts/Pubprn/ +https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl +http://pastebin.com/FtygZ1cg +https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html +https://twitter.com/AdamTheAnalyst/status/1134394070045003776 +https://persistence-info.github.io/Data/hhctrl.html +https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ +https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ +https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md +https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler +https://github.com/Kevin-Robertson/Powermad +https://redcanary.com/blog/lateral-movement-winrm-wmi/ +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 +https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md +https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md +https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository +https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ +https://support.f5.com/csp/article/K52145254 +https://twitter.com/neu5ron/status/1438987292971053057?s=20 +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn +https://techgenix.com/malicious-powershell-scripts-evade-detection/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon +https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html +https://linux.die.net/man/8/insmod +https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md +https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html +https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019 +https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/ +https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject +https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ +https://twitter.com/SBousseaden/status/1483810148602814466 +https://github.com/mttaggart/OffensiveNotion +https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile +https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/ +https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ +https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr +https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html +https://github.com/nettitude/Invoke-PowerThIEf +https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ +https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 +https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ +https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 +https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 +https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ +https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure +https://github.com/bohops/WSMan-WinRM +https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ +https://twitter.com/JohnLaTwC/status/1004895028995477505 +https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ +https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html +https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html +https://www.exploit-db.com/exploits/47297 +https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +https://twitter.com/SBousseaden/status/1189469425482829824 +https://zero2auto.com/2020/05/19/netwalker-re/ +https://twitter.com/HunterPlaybook/status/1301207718355759107 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 +https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 +https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/ +https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html +https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html +https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/ +https://twitter.com/med0x2e/status/1520402518685200384 +https://github.com/DarkCoderSc/PowerRunAsSystem/ +https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ +http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/ +https://decoded.avast.io/martinchlumecky/png-steganography/ +https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution +https://github.com/vnhacker1337/CVE-2022-27925-PoC +https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0 +https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations +https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry +https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md +https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 +https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/ +https://attack.mitre.org/software/S0108/ +https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ +https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon +https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html +https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html +https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html +https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ +https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ +https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm +https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior +https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html +https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow +https://www.autoitscript.com/site/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md +https://twitter.com/eral4m/status/1451112385041911809 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging +http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ +https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/ +https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md +https://www.shellhacks.com/clear-history-powershell/ +https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf +https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner +https://github.com/Neo23x0/auditd/blob/master/audit.rules +https://github.com/lclevy/firepwd +https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html +https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/ +https://www.exploit-db.com/exploits/47696 +https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 +https://twitter.com/anfam17/status/1607477672057208835 +https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government +https://ss64.com/ps/foreach-object.html +https://www.youtube.com/watch?v=ro2QuZTIMBM +https://www.qurium.org/alerts/targeted-malware-against-crph/ +https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 +https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html +https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation +https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html +https://twitter.com/blackarrowsec/status/1463805700602224645?s=12 +https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html +https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 +https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md +https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages +https://github.com/nknorg/nkn-sdk-go +https://github.com/S3cur3Th1sSh1t/SharpImpersonation +https://twitter.com/sbousseaden/status/1523383197513379841 +https://twitter.com/nas_bench/status/1539679555908141061 +https://twitter.com/rbmaslen/status/1321859647091970051 +https://www.php.net/manual/en/features.commandline.php +https://twitter.com/AdamTheAnalyst/status/1483497517119590403 +https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 +https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/ +https://twitter.com/CyberRaiju/status/1251492025678983169 +https://github.com/HyperSine/how-does-MobaXterm-encrypt-password +https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +https://www.youtube.com/watch?v=ebmW42YYveI +https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ +https://access.redhat.com/security/cve/cve-2019-14287 +https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +https://twitter.com/malmoeb/status/1560536653709598721 +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +https://twitter.com/Alh4zr3d/status/1580925761996828672 +https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ +https://thedfirreport.com/2023/03/06/2022-year-in-review/ +https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html +https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ +https://twitter.com/SBousseaden/status/1184067445612535811 +https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ +https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1 +https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ +https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive +https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ +https://youtu.be/n2dFlSaBBKo +https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners +https://twitter.com/JohnLaTwC/status/1415295021041979392 +https://twitter.com/Hexacorn/status/885258886428725250 +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 +https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b +https://securelist.com/schroedingers-petya/78870/ +https://twitter.com/GossiTheDog/status/1429175908905127938 +https://twitter.com/davisrichardg/status/1616518800584704028 +https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html +https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ +https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ +https://lolbas-project.github.io/lolbas/Binaries/Teams/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object +https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md +https://www.exploit-db.com/exploits/19525 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md +https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 +https://persistence-info.github.io/Data/powershellprofile.html +https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ +https://gtfobins.github.io/gtfobins/rvim/ +https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +https://blooteem.com/march-2022 +https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html +https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries +https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ +https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ +https://curl.se/docs/manpage.html +https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update +https://twitter.com/kmkz_security/status/1220694202301976576 +https://twitter.com/eral4m/status/1479080793003671557 +https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# +https://developers.onelogin.com/api-docs/1/events/event-resource/ +https://lolbas-project.github.io/lolbas/Binaries/Certreq/ +https://github.com/payloadbox/xss-payload-list +https://tools.thehacker.recipes/mimikatz/modules +https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 +https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e +https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 +https://www.localpotato.com/ +https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ +https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/ +https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell +https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md +https://www.rarlab.com/vuln_rev3_names.html +https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html +https://twitter.com/countuponsec/status/910969424215232518 +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process +https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ +https://www.joesandbox.com/analysis/443736/0/html +https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1 +https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent +https://github.com/OTRF/detection-hackathon-apt29/issues/16 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md +https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md +https://persistence-info.github.io/Data/wpbbin.html +https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm +https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire +https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions +https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +https://redcanary.com/blog/ebpf-malware/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz +https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38 +https://github.com/eset/malware-ioc/tree/master/oceanlotus +https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ +https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr +https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html +https://github.com/SigmaHQ/sigma/issues/1009 +https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html +https://twitter.com/yorickkoster/status/1279709009151434754 +https://pentestlab.blog/2017/03/30/weak-service-permissions/ +https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md +https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ +https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 +https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ +https://linux.die.net/man/1/xwd +https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing +https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html +https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior +https://blog.harmj0y.net/redteaming/another-word-on-delegation/ +https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +https://www.virusradar.com/en/Win32_Kasidet.AD/description +https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html +https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data +https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ +https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html +https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ +https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains +https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence +https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows +http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt +https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg +https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence +https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry +https://twitter.com/an0n_r0/status/1474698356635193346?s=12 +http://www.irongeek.com/homoglyph-attack-generator.php +https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ +https://ss64.com/bash/rar.html +https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ +https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf +https://mez0.cc/posts/cobaltstrike-powershell-exec/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md +https://attack.mitre.org/techniques/T1105/ +https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730 +https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 +https://reqrypt.org/windivert-doc.html +https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf +https://twitter.com/mrd0x/status/1465058133303246867 +https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/ +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 +https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content +https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel +https://github.com/MythicAgents/typhon/ +https://github.com/RiccardoAncarani/TaskShell/ +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7 +https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649 +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import +https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ +https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/ +https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md +https://twitter.com/0gtweet/status/1468548924600459267 +https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey +https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 +https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md +https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ +https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command +https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 +https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html +https://twitter.com/SBousseaden/status/1278977301745741825 +https://www.exploit-db.com/exploits/39161 +https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43 +https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ +https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz +https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +https://old.zeek.org/zeekweek2019/slides/bzar.pdf +https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH +https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 +https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 +https://twitter.com/cyb3rops/status/1460978167628406785 +https://twitter.com/0xrawsec/status/1002478725605273600?s=21 +https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz +https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv +https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ +https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +https://www.sans.org/blog/wmic-for-incident-response/ +https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml +https://redcanary.com/blog/yellow-cockatoo/ +https://www.cisa.gov/uscert/ncas/alerts/aa20-259a +https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ +https://rclone.org/ +https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 +https://persistence-info.github.io/Data/ifilters.html +https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672 +https://persistence-info.github.io/Data/windowsterminalprofile.html +https://twitter.com/pabraeken/status/995837734379032576 +https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +https://twitter.com/mariuszbit/status/1531631015139102720 +https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign +https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore +https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder +https://twitter.com/EricaZelic/status/1614075109827874817 +https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION +https://github.com/Immersive-Labs-Sec/nimbuspwn +https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html +https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing +https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +https://www.pdq.com/pdq-deploy/ +https://ss64.com/osx/sysadminctl.html +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/ +https://lolbas-project.github.io/lolbas/Binaries/Replace/ +https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ +https://loldrivers.io/ +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 +https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0 +https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf +https://lolbas-project.github.io/lolbas/Binaries/Regasm/ +https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp +https://asec.ahnlab.com/en/39828/ +https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ +https://blog.hackvens.fr/articles/CoercedPotato.html +https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/ +https://processhacker.sourceforge.io/ +https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ +https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget +https://cyber.wtf/2021/11/15/guess-whos-back/ +https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/ +https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md +https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ +https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ +https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt +https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ +https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py +https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a +https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/ +https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ +https://www.echotrail.io/insights/search/regsvr32.exe +https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml +https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +https://twitter.com/cyb3rops/status/1617108657166061568?s=20 +https://o365blog.com/aadinternals/ +https://github.com/BloodHoundAD/AzureHound +https://twitter.com/NathanMcNulty/status/1569497348841287681 +https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html +https://twitter.com/_st0pp3r_/status/1560072680887525378 +https://twitter.com/vxunderground/status/1423336151860002816 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md +https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ +https://github.com/elastic/detection-rules/pull/1213 +https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf +https://twitter.com/_st0pp3r_/status/1583914515996897281 +https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies +https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ +https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern +https://twitter.com/neu5ron/status/1346245602502443009 +https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 +https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml +https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa +https://twitter.com/Hexacorn/status/991447379864932352 +https://twitter.com/wdormann/status/1486161836961579020 +https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ +https://guides.lib.umich.edu/c.php?g=282942&p=1885348 +https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html +https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection +https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ +https://adsecurity.org/?p=2604 +https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ +https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ +https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4 +https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass +https://twitter.com/jamieantisocial/status/1304520651248668673 +https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md +https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ +https://liberty-shell.com/sec/2020/02/25/shim-persistence/ +https://redcanary.com/blog/intelligence-insights-december-2021 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 +https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ +https://www.yang99.top/index.php/archives/82/ +https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ +https://www.cobaltstrike.com/help-opsec +https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 +https://twitter.com/r00tbsd/status/1679042071477338114/photo/1 +https://twitter.com/PythonResponder/status/1385064506049630211 +https://networkraptor.blogspot.com/2015/01/user-agent-strings.html +https://linux.die.net/man/1/dd +https://man7.org/linux/man-pages/man7/bpf-helpers.7.html +https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer +https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +https://www.py2exe.org/ +https://twitter.com/malmoeb/status/1550483085472432128 +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 +https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization +https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml +https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf +https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee +https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ +https://blog.lexfo.fr/xortigate-cve-2023-27997.html +http://woshub.com/how-to-clear-rdp-connections-history/ +https://github.com/mitre-attack/bzar#indicators-for-attck-persistence +https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback +https://github.com/besimorhino/powercat +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script +https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md +https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html +https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps +https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol +https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy +https://isc.sans.edu/diary/26734 +https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ +https://twitter.com/ReaQta/status/1222548288731217921 +https://twitter.com/MsftSecIntel/status/1257324139515269121 +https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f +https://github.com/SigmaHQ/sigma/issues/253 +https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md +https://twitter.com/splinter_code/status/1483815103279603714 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md +https://www.tecmint.com/different-types-of-linux-shells/ +https://twitter.com/malmoeb/status/1570814999370801158 +https://github.com/ORCx41/DeleteShadowCopies +https://www.varonis.com/blog/investigate-ntlm-brute-force +https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/ +https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423 +https://www.vmware.com/security/advisories/VMSA-2021-0002.html +https://twitter.com/cyberwar_15/status/1187287262054076416 +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/ +https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md +https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ +https://persistence-info.github.io/Data/lsaaextension.html +https://github.com/TheD1rkMtr/AMSI_patch +https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ +https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html +https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner +https://twitter.com/parzel2/status/1665726454489915395 +https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ +https://www.advanced-ip-scanner.com/ +https://twitter.com/pabraeken/status/998627081360695297 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd +https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 +https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ +https://github.com/OTRF/detection-hackathon-apt29/issues/6 +https://www.virustotal.com/gui/domain/paste.ee/relations +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy +https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py +https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/ +https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 +https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ +https://en.wikipedia.org/wiki/Hangul_(word_processor) +https://twitter.com/harr0ey/status/992008180904419328 +https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx +https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html +https://github.com/RiccardoAncarani/LiquidSnake +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 +https://www.us-cert.gov/ncas/alerts/TA17-117A +https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf +https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ +http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +https://docs.djangoproject.com/en/1.11/ref/exceptions/ +https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script +https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 +https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html +https://steemit.com/utopian-io/@ah101/uac-bypassing-utility +https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ +https://youtu.be/zSihR3lTf7g +https://www.teamviewer.com/en-us/ +https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ +https://www.x86matthew.com/view_post?id=embed_exe_lnk +https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html +https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 +https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/ +https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ +https://docs.microsoft.com/en-us/sysinternals/downloads/procdump +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/ +https://blogs.jpcert.or.jp/en/2022/07/yamabot.html +https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md +https://github.com/cube0x0/CVE-2021-1675 +https://twitter.com/hexacorn/status/1448037865435320323 +https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a +https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d +https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685 +https://twitter.com/M_haggis/status/1699056847154725107 +https://systeminformer.sourceforge.io/ +https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ +https://twitter.com/bryon_/status/975835709587075072 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher +https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv +https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm +https://linux.die.net/man/1/xclip +https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html +https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html +https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +https://github.com/YfryTchsGD/Log4jAttackSurface +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 +https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ +https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml +https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 +https://twitter.com/menasec1/status/1106899890377052160 +https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1 +https://thedfirreport.com/2020/10/08/ryuks-return +https://blogs.jpcert.or.jp/en/2023/05/gobrat.html +https://twitter.com/FlemmingRiis/status/1217147415482060800 +http://www.xuetr.com/ +https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843 +https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md +https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ +https://lolbas-project.github.io/lolbas/Binaries/Extexport/ +https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ +https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ +https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ +https://github.com/OTRF/detection-hackathon-apt29/issues/12 +https://ss64.com/nt/mklink.html +https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md +https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ +https://twitter.com/Hexacorn/status/885570278637678592 +https://ss64.com/nt/cmd.html +https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ +https://twitter.com/WindowsDocs/status/1620078135080325122 +https://linuxize.com/post/how-to-delete-group-in-linux/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows +https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ +https://github.com/dsnezhkov/TruffleSnout +https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ +https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf +https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection +https://twitter.com/bohops/status/1276357235954909188?s=12 +https://cloud.google.com/storage/docs/json_api/v1/buckets +https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 +https://twitter.com/1ZRR4H/status/1534259727059787783 +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials +https://github.com/diego-treitos/linux-smart-enumeration +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management +https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py +https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md +https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ +https://www.google.com/search?q=%22reg.exe+save%22+sam +https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 +https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats +https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ +https://learn.microsoft.com/en-us/windows/package-manager/winget/source +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets +https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ +https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ +https://www.radmin.fr/ +https://threathunterplaybook.com/library/windows/active_directory_replication.html +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ +https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +https://twitter.com/1kwpeter/status/1397816101455765504 +https://twitter.com/SBousseaden/status/1464566846594691073?s=20 +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md +https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191 +https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ +https://twitter.com/OTR_Community/status/1371053369071132675 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture +https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178 +https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 +https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ +https://access.redhat.com/articles/4409591#audit-record-types-2 +https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx +https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ +https://twitter.com/MichalKoczwara/status/1553634816016498688 +https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 +https://cloud.google.com/dns/docs/reference/v1/managedZones +https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ +https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ +https://www.zerodayinitiative.com/advisories/ZDI-23-491/ +https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ +https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 +https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ +https://github.com/PowerShellMafia/PowerSploit +http://blog.sevagas.com/?Hacking-around-HTA-files +https://github.com/apache/spark/pull/36315/files +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md +https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html +https://persistence-info.github.io/Data/wer_debugger.html +https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ +https://twitter.com/nas_bench/status/1534957360032120833 +https://lolbas-project.github.io/lolbas/Binaries/Msdt/ +https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ +https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/ +https://github.com/codewhitesec/HandleKatz +https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ +https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ +https://github.com/xmrig/xmrig/tree/master/bin/WinRing0 +https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf +https://blog.viettelcybersecurity.com/saml-show-stopper/ +https://twitter.com/pabraeken/status/991335019833708544 +https://adsecurity.org/?p=3458 +https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples +https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/ +https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08 +https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup +https://twitter.com/d4rksystem/status/1357010969264873472 +https://github.com/sqlmapproject/sqlmap +https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html +https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ +https://www.jpcert.or.jp/english/pub/sr/ir_research.html +https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q +https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/ +https://securityxploded.com/ +https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml +https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 +https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker +https://mango.pdf.zone/stealing-chrome-cookies-without-a-password +https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 +https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/ +https://twitter.com/ORCA6665/status/1496478087244095491 +https://gtfobins.github.io/gtfobins/apt/ +https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ +https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 +https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval +https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics +https://car.mitre.org/wiki/CAR-2016-04-005 +https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html +https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml +https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md +https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory +https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 +https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll +https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns +https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA +https://github.com/malcomvetter/CSExec +https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647 +https://twitter.com/Kostastsale/status/1565257924204986369 +https://twitter.com/forensicitguy/status/1513538712986079238 +https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ +https://redcanary.com/blog/applescript/ +https://www.fortypoundhead.com/showcontent.asp?artid=24022 +https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 +https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ +https://twitter.com/DissectMalware/status/1062879286749773824 +https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11 +https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware +https://www.mandiant.com/resources/telegram-malware-iranian-espionage +https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b +https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html +https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 +https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh +https://github.com/BC-SECURITY/Empire +https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html +https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html +https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394 +https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior +https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ +https://twitter.com/0xBoku/status/1679200664013135872 +https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 +https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png +https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html +https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options +https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html +https://man7.org/linux/man-pages/man1/passwd.1.html +https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior +https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/ +https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset +https://twitter.com/nas_bench/status/1535322182863179776 +https://lolbas-project.github.io/lolbas/Binaries/Ftp/ +https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml +https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ +https://twitter.com/hackerfantastic/status/1616455335203438592?s=20 +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray +https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml +https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh +https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12 +https://twitter.com/mrd0x/status/1511489821247684615 +https://github.com/byt3bl33d3r/CrackMapExec +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/ +https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN +https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ +https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html +https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA +https://redcanary.com/blog/blue-mockingbird-cryptominer/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md +https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741 +https://adsecurity.org/?p=2398 +https://twitter.com/SBousseaden/status/1167417096374050817 +https://github.com/Azure/Azure-Sentinel/pull/3059 +https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +https://www.softwaretestinghelp.com/how-to-use-ngrok/ +https://lolbas-project.github.io/lolbas/Binaries/Rundll32 +https://learn.microsoft.com/en-us/sysinternals/downloads/procdump +https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +https://github.com/HarmJ0y/DAMP +https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ +https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +https://github.com/elastic/detection-rules/pull/1145/files +https://twitter.com/countuponsec/status/910977826853068800 +https://twitter.com/cyb3rops/status/1514217991034097664 +https://github.com/Ekultek/BlueKeep +https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ +https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 +https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ +https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line +https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry +https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone +https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes +https://github.com/cube0x0/CVE-2021-36934 +https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html +https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 +https://attack.mitre.org/techniques/T1021/001/ +https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html +https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed +https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ +https://securelist.com/apt-luminousmoth/103332/ +https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +https://twitter.com/_JohnHammond/status/1531672601067675648 +https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps +https://twitter.com/mrd0x/status/1463526834918854661 +https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell +https://github.com/gtworek/PSBits/tree/master/IFilter +https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7 +https://twitter.com/cglyer/status/1183756892952248325 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy +https://nodejs.org/api/cli.html +https://www.nextron-systems.com/?s=antivirus +https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html +https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add +https://twitter.com/bigmacjpg/status/1349727699863011328?s=12 +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +https://research.splunk.com/endpoint/linux_doas_tool_execution/ +https://github.com/byt3bl33d3r/SILENTTRINITY +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile +https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware +https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html +https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ +https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a +https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py +https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip +https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md +https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 +https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html +https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) +https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior +https://vk9-sec.com/hfs-code-execution-cve-2014-6287/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md +https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar +https://github.com/kavika13/RemCom/ +https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify +https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit +https://adsecurity.org/?p=2288 +https://twitter.com/killamjr/status/1179034907932315648 +https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom +https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html +https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing +https://twitter.com/bl4sty/status/1445462677824761878 +https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly +https://github.com/hackvens/CoercedPotato +https://www.intrinsec.com/apt27-analysis/ +https://github.com/Neo23x0/DLLRunner +https://thedfirreport.com/2020/10/08/ryuks-return/ +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt +https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html +https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml +https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel +https://o365blog.com/post/aadbackdoor/ +https://twitter.com/Carlos_Perez/status/883455096645931008 +https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ +https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html +https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a +https://twitter.com/Hexacorn/status/885553465417756673 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md +https://twitter.com/gentilkiwi/status/861641945944391680 +https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/ +https://learn.microsoft.com/en-us/windows/win32/api/winevt/ +https://twitter.com/_0xf4n9x_/status/1572052954538192901 +https://gtfobins.github.io/gtfobins/vimdiff/ +http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html +https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code +https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ +https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/ +https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete +https://nvd.nist.gov/vuln/detail/CVE-2021-41773 +https://asec.ahnlab.com/en/38156/ +https://github.com/OTRF/detection-hackathon-apt29/issues/8 +https://www.anquanke.com/post/id/226029 +https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity +https://github.com/tyranid/DotNetToJScript +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md +https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us +https://lolbas-project.github.io/lolbas/Binaries/Runonce/ +http://woshub.com/manage-windows-firewall-powershell/ +https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus +https://github.com/samratashok/nishang +https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ +https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html +https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ +https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 +https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +https://mrd0x.com/stealing-tokens-from-office-applications/ +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +https://dirkjanm.io/a-different-way-of-abusing-zerologon/ +https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing +https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html +https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control +https://lolbas-project.github.io/lolbas/Binaries/Diantz/ +https://twitter.com/0gtweet/status/1666716511988330499 +https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 +https://gtfobins.github.io/gtfobins/nohup/ +https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS +https://twitter.com/kleiton0x7e/status/1600567316810551296 +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 +https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf +https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign +https://github.com/mttaggart/quasar +https://github.com/GhostPack/Rubeus +https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights +https://ss64.com/osx/dseditgroup.html +https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 +https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ +https://alamot.github.io/reverse_shells/ +https://ss64.com/nt/dsacls.html +https://github.com/OTRF/detection-hackathon-apt29/issues/7 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md +https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection +https://twitter.com/M_haggis/status/900741347035889665 +https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb +https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon +http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +https://support.citrix.com/article/CTX267027 +https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community +https://twitter.com/ClearskySec/status/960924755355369472 +https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ +https://github.com/rootm0s/WinPwnage +https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html +https://github.com/ehang-io/nps +https://linux.die.net/man/8/pam_tty_audit +https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software +https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html +https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml +https://lolbas-project.github.io/lolbas/Binaries/Certoc/ +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity +https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ +http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ +https://research.splunk.com/endpoint/linux_doas_conf_file_creation/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script +https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +https://lolbas-project.github.io/lolbas/Binaries/Findstr/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso +https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/ +https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html +https://lolbas-project.github.io/lolbas/Scripts/Winrm/ +https://twitter.com/INIT_3/status/1410662463641731075 +https://twitter.com/nas_bench/status/1626648985824788480 +https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ +https://twitter.com/fuzzyf10w/status/1410202370835898371 +https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ +https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h +https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/ +https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md +https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py +https://twitter.com/malmoeb/status/1616702107242971144 +https://twitter.com/tccontre18/status/1480950986650832903 +https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html +https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ +https://attack.mitre.org/datasources/DS0005/ +https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4 +https://swarm.ptsecurity.com/unauth-rce-vmware +https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2 +https://github.com/elastic/detection-rules/pull/1214 +https://twitter.com/Hexacorn/status/1420053502554951689 +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html +https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html +https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor +https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ +https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled +https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/ +https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new +https://github.com/p3nt4/PowerShdll +https://github.com/Tylous/ZipExec +https://lolbas-project.github.io/lolbas/Binaries/Psr/ +https://twitter.com/gN3mes1s/status/1206874118282448897 +https://persistence-info.github.io/Data/amsi.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests +https://learn.microsoft.com/en-us/sysinternals/downloads/livekd +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +https://github.com/payloadbox/ssti-payloads +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 +https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA +https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html +https://decoded.avast.io/martinchlumecky/png-steganography +https://linux.die.net/man/8/userdel +https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md +https://github.com/OTRF/detection-hackathon-apt29/issues/9 +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token +https://twitter.com/d1r4c/status/1279042657508081664 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell +https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ +https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ +https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ +https://twitter.com/JohnLaTwC/status/1223292479270600706 +https://github.com/WiredPulse/Invoke-HiveNightmare +https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ +https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install +https://blog.assetnote.io/2021/11/02/sitecore-rce/ +https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection +https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter +https://www.remoteutilities.com/support/kb/host-service-won-t-start/ +https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ +https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +https://twitter.com/cube0x0/status/1418920190759378944 +https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md +https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior +https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi +https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg +https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0 +https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection +https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ +https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/ +https://twitter.com/filip_dragovic/status/1590052248260055041 +https://github.com/projectdiscovery/nuclei-templates +https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 +https://www.zscaler.com/blogs/security-research/steal-it-campaign +https://twitter.com/0gtweet/status/1206692239839289344 +https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf +https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md +https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md +https://redcanary.com/threat-detection-report/threats/dridex/ +https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html +https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process +https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries +https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 +https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection +https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/ +https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ +https://bczyz1.github.io/2021/01/30/psexec.html +https://twitter.com/mattifestation/status/1196390321783025666 +https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html +https://twitter.com/pyn3rd/status/1351696768065409026 +https://twitter.com/felixw3000/status/853354851128025088 +https://github.com/gabe-k/themebleed +https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses +https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +https://github.com/helpsystems/nanodump +https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a +https://powersploit.readthedocs.io/en/stable/Recon/README +https://www.autohotkey.com/download/ +https://bpftrace.org/ +https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ +https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html +https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf +http://managed670.rssing.com/chan-5590147/all_p1.html +https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58 +https://github.com/cube0x0 +https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md +https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ +https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt +https://twitter.com/craiu/status/1167358457344925696 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery +https://github.com/Azure/SimuLand +https://developers.cloudflare.com/cloudflare-one/connections/connect-apps +https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093 +https://github.com/GhostPack/SharpUp +https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 +https://twitter.com/vysecurity/status/885545634958385153 +https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/ +https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html +https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +https://twitter.com/pabraeken/status/993497996179492864 +https://twitter.com/bohops/status/994405551751815170 +https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ +https://twitter.com/MaD_c4t/status/1623414582382567424 +https://twitter.com/JohnLaTwC/status/837743453039534080 +https://github.com/frgnca/AudioDeviceCmdlets +https://github.com/h3v0x/CVE-2021-26084_Confluence +https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy +https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/ +https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ +https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ +https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs +https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf +https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md +https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm +https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py +https://github.com/OTRF/detection-hackathon-apt29/issues/17 +https://twitter.com/0gtweet/status/1474899714290208777?s=12 +https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py +https://windows-internals.com/printdemon-cve-2020-1048/ +https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36 +https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 +https://blog.talosintelligence.com/ipfs-abuse/ +https://twitter.com/j00sean/status/1537750439701225472 +https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ +https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf +https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ +https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling +https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware +https://twitter.com/ffforward/status/1481672378639912960 +http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ +https://github.com/hacksysteam/HackSysExtremeVulnerableDriver +https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection +https://twitter.com/0gtweet/status/1299071304805560321?s=21 +https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp +https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm +https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade +https://redcanary.com/blog/email-forwarding-rules/ +https://github.com/kleiton0x00/RedditC2 +https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md +https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ +https://twitter.com/StopMalvertisin/status/1648604148848549888 +https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ +https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md +https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ +https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ +https://github.com/GossiTheDog/SystemNightmare +https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +https://twitter.com/0gtweet/status/1628720819537936386 +https://twitter.com/CyberRaiju/status/1273597319322058752 +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules +https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md +https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/ +https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang +https://adsecurity.org/?p=2277 +https://persistence-info.github.io/Data/naturallanguage6.html +https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile +https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts +https://github.com/lijiejie/IIS_shortname_Scanner +https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 +https://securelist.com/operation-triangulation/109842/ +https://twitter.com/pabraeken/status/990758590020452353 +https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ +https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo +https://twitter.com/VakninHai/status/1517027824984547329 +https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8 +https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79 +https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ +https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/ +https://github.com/sensepost/impersonate +https://twitter.com/bohops/status/980659399495741441 +https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md +https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu +https://github.com/hlldz/Invoke-Phant0m +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md +https://twitter.com/MalwareJake/status/1410421967463731200 +https://securelist.com/the-epic-turla-operation/65545/ +https://twitter.com/dez_/status/1560101453150257154 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md +https://twitter.com/0gtweet/status/1526833181831200770 +https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ +https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/ +https://twitter.com/sec715/status/1373472323538362371 +https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts +https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell +https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +https://vanmieghem.io/stealth-outlook-persistence/ +https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider +https://github.com/adrecon/ADRecon +https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +https://github.com/zeronetworks/rpcfirewall +https://twitter.com/SBousseaden/status/1451237393017839616 +https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623 +https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 +https://o365blog.com/post/adfs/ +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts +https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ +https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/ +http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow +https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist +https://adsecurity.org/?p=2921 +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 +https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 +https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d +https://twitter.com/cyb3rops/status/1186631731543236608 +https://github.com/Rhynorater/CVE-2018-15473-Exploit +https://redcanary.com/blog/blackbyte-ransomware/ +https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation +https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ +https://hashcat.net/wiki/doku.php?id=hashcat +https://github.com/S3cur3Th1sSh1t/WinPwn +https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ +https://twitter.com/mrd0x/status/1460815932402679809 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md +https://www.arxiv-vanity.com/papers/2008.04676/ +https://www.nirsoft.net/utils/nircmd.html +https://twitter.com/m417z/status/1566674631788007425 +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md +https://github.com/corelight/CVE-2021-1675 +https://redmimicry.com/posts/redmimicry-winnti/#dropper +https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 +https://twitter.com/max_mal_/status/1542461200797163522 +https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine +https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html +https://twitter.com/subTee/status/891298217907830785 +https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ +https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/ +https://github.com/swagkarna/Defeat-Defender-V1.2.0 +https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md +https://twitter.com/nas_bench/status/1535431474429808642 +https://twitter.com/sbousseaden/status/1531653369546301440 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task +https://ngrok.com/docs +https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/ +https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md +https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html +https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ +https://twitter.com/eral4m/status/1479106975967240209 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md +https://twitter.com/SBousseaden/status/1429530155291193354?s=20 +https://twitter.com/jseerden/status/1247985304667066373/photo/1 +https://support.citrix.com/article/CTX276688 +https://github.com/search?q=CVE-2021-36934 +https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ +https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting +https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ +https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ +https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations +https://attack.mitre.org/matrices/enterprise/cloud/ +https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion +https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat +https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware +https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ +https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 +https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 +https://twitter.com/mpgn_x64/status/1216787131210829826 +https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19 +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0 +https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ +https://github.com/tangxiaofeng7/apache-log4j-poc +https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe +https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ +https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources +https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/ +https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md +https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html +https://gtfobins.github.io/gtfobins/apt-get/ +https://securelist.com/faq-the-projectsauron-apt/75533/ +https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html +https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2 +https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing +https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions +https://twitter.com/nas_bench/status/1534915321856917506 +https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ +https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe +https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ +https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf +https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +https://www.echotrail.io/insights/search/msbuild.exe +https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 +https://attack.mitre.org/techniques/T1548/001/ +https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html +https://www.nirsoft.net/utils/nircmd2.html#using +https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html +https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md +https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916 +https://mn3m.info/posts/suid-vs-capabilities/ +https://twitter.com/vysecurity/status/977198418354491392 +https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return +https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters +https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes +https://twitter.com/Oddvarmoe/status/993383596244258816 +https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md +https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ +https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md +https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0 +https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 +https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 +https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek +https://twitter.com/nas_bench/status/1535322445439180803 +https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a +https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ +https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md +https://www.tenable.com/security/research/tra-2021-13 +https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html +https://securelist.com/chafer-used-remexi-malware/89538/ +https://github.com/fireeye/DueDLLigence +https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 +https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 +https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md +https://www.exploit-db.com/exploits/37525 +https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ +https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting +https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +https://github.com/SigmaHQ/sigma/issues/3742 +https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/ +https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 +https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ +https://twitter.com/nao_sec/status/1530196847679401984 +https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate +https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml +https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html +https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +https://twitter.com/stvemillertime/status/1024707932447854592 +https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md +https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code +https://www.echotrail.io/insights/search/ilasm.exe +https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 +https://redcanary.com/blog/clipping-silver-sparrows-wings/ +https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ +https://persistence-info.github.io/Data/codesigning.html +https://ss64.com/nt/netsh.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md +https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials +https://github.com/Hackplayers/evil-winrm +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task +https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ +https://portswigger.net/web-security/cross-site-scripting/contexts +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows +https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf +https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events +https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97 +https://github.com/binderlabs/DirCreate2System +https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx +https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/ +https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/ +https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors +https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ +https://github.com/advisories/GHSA-7g5f-wrx8-5ccf +https://imagemagick.org/ +https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows +https://github.com/CCob/MirrorDump +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md +https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md +https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets +https://www.us-cert.gov/ncas/alerts/TA17-293A +https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e +https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml +https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques +https://github.com/0xf4n9x/CVE-2022-46169 +https://github.com/tennc/webshell +https://twitter.com/VM_vivisector/status/1217190929330655232 +https://www.infosecademy.com/netcat-reverse-shells/ +https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection +https://twitter.com/mattifestation/status/899646620148539397 +https://research.splunk.com/endpoint/windows_possible_credential_dumping/ +https://redcanary.com/threat-detection-report/threats/qbot/ +https://github.com/cw1997/NATBypass +https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html +https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html +https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/ +https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md +https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma +https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html +https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser +https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus +https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate +https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py +https://gtfobins.github.io/gtfobins/ssh/ +https://twitter.com/SBousseaden/status/1139811587760562176 +https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ +https://lolbas-project.github.io/lolbas/Binaries/Msedge/ +https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml +https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile +https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope +http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules +https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east +https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ +https://www.mandiant.com/resources/blog/lnk-between-browsers +https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +https://youtu.be/5mqid-7zp8k?t=2231 +https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md +https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image +https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents +https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase +https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ +https://github.com/connormcgarr/LittleCorporal +https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 +https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend +https://lolbas-project.github.io/lolbas/Binaries/Print/ +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 +https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ +https://www.youtube.com/watch?v=Ie831jF0bb0 +https://twitter.com/nas_bench/status/1535322450858233858 +https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md +https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ +https://twitter.com/bopin2020/status/1366400799199272960 +https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ +https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ +https://xz.aliyun.com/t/12175 +https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +https://github.com/Kevin-Robertson/Inveigh +https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md +https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml +https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection +https://twitter.com/wdormann/status/1547583317410607110 +https://medium.com/@blueteamops/shimcache-flush-89daff28d15e +https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc +https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39 +https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ +https://nsudo.m2team.org/en-us/ +https://redcanary.com/blog/chromeloader/ +https://h.43z.one/ipconverter/ +https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html +https://technet.microsoft.com/en-us/library/security/4022344 +https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html +https://pentestlab.blog/2020/02/24/parent-pid-spoofing/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules +https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ +https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION +https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ +https://twitter.com/0gtweet/status/1564968845726580736 +https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ +https://twitter.com/notwhickey/status/1333900137232523264 +https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files +https://github.com/outflanknl/Dumpert +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows +https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb +https://securelist.com/locked-out/68960/ +https://man.openbsd.org/ssh_config#ProxyCommand +https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ +https://developers.onelogin.com/api-docs/1/events/event-resource +https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization +https://twitter.com/xorJosh/status/1598646907802451969 +https://adsecurity.org/?p=2053 +https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ +https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html +https://www.offensive-security.com/metasploit-unleashed/timestomp/ +https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers +https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md +https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 +https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ +https://github.com/win3zz/CVE-2023-25157 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery +http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html +https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish +https://twitter.com/JAMESWT_MHT/status/1699042827261391247 +https://twitter.com/mrd0x/status/1478234484881436672?s=12 +https://goo.gl/PsqrhT +https://twitter.com/pythonresponder/status/1385064506049630211?s=21 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd +https://twitter.com/menasec1/status/1104489274387451904 +https://twitter.com/pabraeken/status/993298228840992768 +https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html +https://twitter.com/JohnLaTwC/status/850381440629981184 +https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 +https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ +https://twitter.com/_JohnHammond/status/1588155401752788994 +https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A +https://www.google.com/search?q=procdump+lsass +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md +https://twitter.com/t3ft3lb/status/1656194831830401024 +https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md +https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 +https://github.com/search?q=CVE-2021-43798 +https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ +https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 +https://twitter.com/jhencinski/status/1102695118455349248 +https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md +https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +https://twitter.com/SBousseaden/status/1096148422984384514 +https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw +https://twitter.com/gbti_sa/status/1249653895900602375?lang=en +https://twitter.com/vanitasnk/status/1437329511142420483?s=21 +https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer +https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw +https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 +https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ +https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ +https://twitter.com/pabraeken/status/999090532839313408 +https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 +https://twitter.com/_st0pp3r_/status/1583922009842802689 +https://twitter.com/sbousseaden/status/1555200155351228419 +https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A +https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf +https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md +https://twitter.com/bohops/status/948061991012327424 +https://twitter.com/cyb3rops/status/1659175181695287297 +https://twitter.com/Max_Mal_/status/1661322732456353792 +https://twitter.com/jackcr/status/807385668833968128 +https://github.com/snovvcrash/DInjector +https://twitter.com/sbousseaden/status/1429401053229891590?s=12 +https://twitter.com/Oddvarmoe/status/985518877076541440 +https://twitter.com/M_haggis/status/1032799638213066752 +https://twitter.com/0gtweet/status/1674399582162153472 +https://www.joesandbox.com/analysis/476188/1/iochtml +https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 +https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ +https://twitter.com/ItsReallyNick/status/1094080242686312448 +https://twitter.com/SBousseaden/status/1101431884540710913 +https://twitter.com/eral4m/status/1480468728324231172?s=20 +https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 +https://twitter.com/GadixCRK/status/1369313704869834753?s=20 +https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd +https://twitter.com/ScumBots/status/1610626724257046529 +https://twitter.com/WhichbufferArda/status/1658829954182774784 +https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html +https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp +https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf +https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf +https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 +https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 +https://twitter.com/x86matthew/status/1505476263464607744?s=12 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine +https://twitter.com/bohops/status/1635288066909966338 +https://twitter.com/bohops/status/1477717351017680899?s=12 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md +https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive +https://twitter.com/mrd0x/status/1481630810495139841?s=12 +https://twitter.com/Kostastsale/status/1700965142828290260 +https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw +https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 +https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf +https://github.com/LOLBAS-Project/LOLBAS/pull/147 +https://twitter.com/sbousseaden/status/1282441816986484737?s=12 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md +https://twitter.com/wdormann/status/1590434950335320065 +https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation +https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html +https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1 +https://github.com/audibleblink/xordump +https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md +https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf +https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md +https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ +https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection +https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md +https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951 +https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 +https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba +https://www.trustedsec.com/july-2015/malicious-htas/ +https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md +https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ +https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html +https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap +https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml +https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py +https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf +https://github.com/AlsidOfficial/WSUSpendu/ +https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045 +https://github.com/klinix5/InstallerFileTakeOver +https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) +https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html +https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf +https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md +https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf +https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ +https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps +https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 +https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 +https://streamable.com/q2dsji +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md +https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ +https://github.com/zerosum0x0/CVE-2019-0708 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download +https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf +https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml +https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r +https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md +https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1 +https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md +https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] +https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ +https://github.com/elastic/detection-rules/issues/1371 +https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf +https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html +https://github.com/D1rkMtr/UnhookingPatch +https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html +https://twitter.com/hFireF0X/status/897640081053364225 +https://www.mdeditor.tw/pl/pgRt +https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 +https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 +https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py +https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command +https://github.com/LOLBAS-Project/LOLBAS/pull/180 +https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 +https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 +https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/ +https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 +https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g +https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 +https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw +https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ +https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html +https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 +https://www.sans.org/webcasts/119395 +https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html +https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry +https://github.com/hhlxf/PrintNightmare +https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 +https://github.com/1337Rin/Swag-PSO +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md +https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html +https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427 +https://github.com/afwu/PrintNightmare +https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ +https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D +https://www.ampliasecurity.com/research/windows-credentials-editor/ +https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection +https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md +https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md +https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ +https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp +https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver +https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 +https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md +https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 +https://twitter.com/luc4m/status/1073181154126254080 +https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py +https://www.joesandbox.com/analysis/465533/0/html +https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/ +https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 +https://wikileaks.org/vault7/#Pandemic +https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe +https://twitter.com/mrd0x/status/1475085452784844803?s=12 +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh +https://kb.acronis.com/content/60892 +https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html +https://twitter.com/vysecurity/status/974806438316072960 +https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html diff --git a/tests/thor.yml b/tests/thor.yml index ca70842a7..e122b7f20 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -281,7 +281,7 @@ logsources: rewrite: product: windows service: sysmon - #PowerShell Operational + # PowerShell Operational ps_module: category: ps_module product: windows @@ -298,7 +298,7 @@ logsources: rewrite: product: windows service: powershell - #Powershell "classic" channel + # Powershell "classic" channel ps_classic_start: category: ps_classic_start product: windows diff --git a/unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml index 9ad3ce471..6ed7ad39a 100644 --- a/unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -23,7 +23,7 @@ detection: operation: #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call - - LsarLookupNames3 #method translates a batch of security principal names to their SID form + - LsarLookupNames3 #method translates a batch of security principal names to their SID form - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of - SamrLookupIdsInDomain #method translates a set of RIDs into account names