diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml index adb1e30fc..0860e557c 100644 --- a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml +++ b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml @@ -1,6 +1,6 @@ title: Rejetto HTTP File Server RCE id: a133193c-2daa-4a29-8022-018695fcf0ae -status: experimental +status: test description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287 references: - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/ diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml index 682e43579..b9bec4de8 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml @@ -1,6 +1,6 @@ title: CVE-2021-41773 Exploitation Attempt id: 3007fec6-e761-4319-91af-e32e20ac43f5 -status: experimental +status: test description: | Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml index 697865552..4a2ef9565 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml @@ -1,6 +1,6 @@ title: Log4j RCE CVE-2021-44228 in Fields id: 9be472ed-893c-4ec0-94da-312d2765f654 -status: experimental +status: test description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell) references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ diff --git a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml index c1145049d..b7ac162c2 100644 --- a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml +++ b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml @@ -1,6 +1,6 @@ title: Exchange ProxyShell Pattern id: 23eee45e-933b-49f9-ae1b-df706d2d52ef -status: experimental +status: test description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) references: - https://youtu.be/5mqid-7zp8k?t=2231 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml index b542a5370..49746fb11 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml @@ -1,6 +1,6 @@ title: Zimbra Collaboration Suite Email Server Unauthenticated RCE id: dd218fb6-4d02-42dc-85f0-a0a376072efd -status: experimental +status: test description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection references: - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml index b94d97cb0..051ba4540 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml @@ -1,6 +1,6 @@ title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass id: fcf1101d-07c9-49b2-ad81-7e421ff96d80 -status: experimental +status: test description: | Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml index 095072476..01ef72fc0 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml @@ -1,6 +1,6 @@ title: CVE-2022-31659 VMware Workspace ONE Access RCE id: efdb2003-a922-48aa-8f37-8b80021a9706 -status: experimental +status: test description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml index 1cf72efe2..ec4286e57 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml @@ -1,6 +1,6 @@ title: Apache Spark Shell Command Injection - Weblogs id: 1a9a04fd-02d1-465c-abad-d733fd409f9c -status: experimental +status: test description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective references: - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml index b8dd2926f..161dd5a6a 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml @@ -1,6 +1,6 @@ title: Atlassian Bitbucket Command Injection Via Archive API id: 65c0a0ab-d675-4441-bd6b-d3db226a2685 -status: experimental +status: test description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804 references: - https://twitter.com/_0xf4n9x_/status/1572052954538192901 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml index a7180e1b3..649685829 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-46169 Exploitation Attempt id: 738cb115-881f-4df3-82cc-56ab02fc5192 -status: experimental +status: test description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169 references: - https://github.com/0xf4n9x/CVE-2022-46169 diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml index bc6d0776f..9b05e9bf3 100644 --- a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml @@ -1,6 +1,6 @@ title: Potential OWASSRF Exploitation Attempt - Webserver id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml index 3377316b7..af0415977 100644 --- a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml @@ -1,6 +1,6 @@ title: OWASSRF Exploitation Attempt Using Public POC - Webserver id: 92d78c63-5a5c-4c40-9b60-463810ffb082 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules/category/database/db_anomalous_query.yml b/rules/category/database/db_anomalous_query.yml index 3b0ef7027..2810e8541 100644 --- a/rules/category/database/db_anomalous_query.yml +++ b/rules/category/database/db_anomalous_query.yml @@ -1,6 +1,6 @@ title: Suspicious SQL Query id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5 -status: experimental +status: test description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields author: '@juju4' date: 2022/12/27 diff --git a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml index fc4f7caf4..c52d5975b 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml @@ -1,6 +1,6 @@ title: SES Identity Has Been Deleted id: 20f754db-d025-4a8f-9d74-e0037e999a9a -status: experimental +status: test description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml index 8e13c18dd..ea5f53b8d 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -3,7 +3,7 @@ id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e related: - id: d08722cd-3d09-449a-80b4-83ea2d9d4616 type: similar -status: experimental +status: test description: Detects calls to hidden files or files located in hidden directories in NIX systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 6788ea844..1ba00ab8e 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -1,6 +1,6 @@ title: Persistence Via Sudoers Files id: ddb26b76-4447-4807-871f-1b035b2bfa5d -status: experimental +status: test description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml index 66311708c..4c56cf49f 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -1,6 +1,6 @@ title: Triple Cross eBPF Rootkit Default LockFile id: c0239255-822c-4630-b7f1-35362bcb8f44 -status: experimental +status: test description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index e07e35706..81fc28ec8 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -1,6 +1,6 @@ title: Triple Cross eBPF Rootkit Default Persistence id: 1a2ea919-d11d-4d1e-8535-06cda13be20f -status: experimental +status: test description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method references: - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml index 5e7c45d95..f8d78e676 100644 --- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -1,6 +1,6 @@ title: Capabilities Discovery - Linux id: d8d97d51-122d-4cdd-9e2f-01b4b4933530 -status: experimental +status: test description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml index fb8f9b8ca..6d10e5a4f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -1,6 +1,6 @@ title: Group Has Been Deleted Via Groupdel id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 -status: experimental +status: test description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks references: - https://linuxize.com/post/how-to-delete-group-in-linux/ diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml index e65fede77..2ef7e1b58 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml @@ -1,6 +1,6 @@ title: Apt GTFOBin Abuse - Linux id: bb382fd5-b454-47ea-a264-1828e4c766d6 -status: experimental +status: test description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution references: - https://gtfobins.github.io/gtfobins/apt/ diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml index c61ab6526..de4f854c3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -1,6 +1,6 @@ title: Vim GTFOBin Abuse - Linux id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea -status: experimental +status: test description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution references: - https://gtfobins.github.io/gtfobins/vim/ diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml index 0975b798b..48712c358 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -1,6 +1,6 @@ title: Suspicious Package Installed - Linux id: 700fb7e8-2981-401c-8430-be58e189e741 -status: experimental +status: test description: Detects installation of suspicious packages using system installation utilities references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml index c24d14e00..7c15f0efb 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml @@ -3,7 +3,7 @@ id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf related: - id: 85de3a19-b675-4a51-bfc6-b11a5186c971 type: similar -status: experimental +status: test description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 50f15fe25..8abc41bc3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -1,6 +1,6 @@ title: Suspicious Git Clone - Linux id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446 -status: experimental +status: test description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/rules/linux/process_creation/proc_creation_lnx_userdel.yml index f226f649b..eed85d3c1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_userdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -1,6 +1,6 @@ title: User Has Been Deleted Via Userdel id: 08f26069-6f80-474b-8d1f-d971c6fedea0 -status: experimental +status: test description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks references: - https://linuxize.com/post/how-to-delete-group-in-linux/ diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index d4da8acbc..8cf0416cf 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -1,6 +1,6 @@ title: Linux Webshell Indicators id: 818f7b24-0fba-4c49-a073-8b755573b9c7 -status: experimental +status: test description: Detects suspicious sub processes of web server processes references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 0a7ba1c03..9590d7a92 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -1,6 +1,6 @@ title: Suspicious Execution via macOS Script Editor id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 -status: experimental +status: test description: Detects when the macOS Script Editor utility spawns an unusual child process. author: Tim Rauch (rule), Elastic (idea) references: diff --git a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml index 9d94cc951..9aebe117c 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml @@ -3,7 +3,7 @@ id: 85de3a19-b675-4a51-bfc6-b11a5186c971 related: - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf type: similar -status: experimental +status: test description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml index 6d858d7a5..fca3b416a 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml @@ -1,6 +1,6 @@ title: Potential OWASSRF Exploitation Attempt - Proxy id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml index bcd0eb70d..bbfdda302 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml @@ -1,6 +1,6 @@ title: OWASSRF Exploitation Attempt Using Public POC - Proxy id: fdd7e904-7304-4616-a46a-e32f917c4be4 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules/web/webserver_generic/web_susp_useragents.yml b/rules/web/webserver_generic/web_susp_useragents.yml index 31ca5769b..189ba702e 100644 --- a/rules/web/webserver_generic/web_susp_useragents.yml +++ b/rules/web/webserver_generic/web_susp_useragents.yml @@ -1,6 +1,6 @@ title: Suspicious User-Agents Related To Recon Tools id: 19aa4f58-94ca-45ff-bc34-92e533c0994a -status: experimental +status: test description: Detects known suspicious (default) user-agents related to scanning/recon tools references: - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb diff --git a/rules/web/webserver_generic/web_susp_windows_path_uri.yml b/rules/web/webserver_generic/web_susp_windows_path_uri.yml index 3835da11a..f38d7742f 100644 --- a/rules/web/webserver_generic/web_susp_windows_path_uri.yml +++ b/rules/web/webserver_generic/web_susp_windows_path_uri.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Strings In URI id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e -status: experimental +status: test description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index 1b087a989..7d1fb21a0 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -3,7 +3,7 @@ id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca related: - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 type: similar -status: experimental +status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index 1b7b0338f..dd3ff2070 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -1,6 +1,6 @@ title: Win Susp Computer Name Containing Samtheadmin id: 39698b3f-da92-4bc6-bfb5-645a98386e45 -status: experimental +status: test description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool references: - https://twitter.com/malmoeb/status/1511760068743766026 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml index c9b75f3bd..2b505d9ce 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml @@ -3,7 +3,7 @@ id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 related: - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca type: similar -status: experimental +status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html diff --git a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml index 247ab5363..37eea5768 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml @@ -1,6 +1,6 @@ title: Exchange PowerShell Cmdlet History Deleted id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe -status: experimental +status: test description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ diff --git a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml index 6c3d9310b..b53864c7e 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml @@ -1,6 +1,6 @@ title: Potential Remote Credential Dumping Activity id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a -status: experimental +status: test description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. references: - https://github.com/Porchetta-Industries/CrackMapExec diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 3ef18e300..4f2b40f7b 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Notepad++ Plugins id: 54127bd4-f541-4ac3-afdb-ea073f63f692 -status: experimental +status: test description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml index 4aeb3536e..96e93c58d 100644 --- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml @@ -1,6 +1,6 @@ title: Potential RipZip Attack on Startup Folder id: a6976974-ea6f-4e97-818e-ea08625c52cb -status: experimental +status: test description: | Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index b06fbaabf..0f8cc159d 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -1,6 +1,6 @@ title: Potential SAM Database Dump id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0 -status: experimental +status: test description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) references: - https://github.com/search?q=CVE-2021-36934 diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml index 3c9a63ebb..70a12e5a2 100644 --- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml @@ -1,6 +1,6 @@ title: Suspicious Creation with Colorcpl id: e15b518d-b4ce-4410-a9cd-501f23ce4a18 -status: experimental +status: test description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ references: - https://twitter.com/eral4m/status/1480468728324231172?s=20 diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml index 2d3b6edcc..23de6de33 100644 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -1,6 +1,6 @@ title: Rename Common File to DLL File id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: experimental +status: test description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection references: - https://twitter.com/ffforward/status/1481672378639912960 diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index 7596ad23e..f0cca6f2c 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -1,6 +1,6 @@ title: Suspicious Appended Extension id: e3f673b3-65d1-4d80-9146-466f8b63fa99 -status: experimental +status: test description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc. references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 9dc7dbeef..454209dd1 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Using Coregen.exe id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171 -status: experimental +status: test description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 49608737f..12c523d36 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -1,6 +1,6 @@ title: PowerShell Get Clipboard id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 -status: experimental +status: test description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 4411512e4..9b235eb1a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -3,7 +3,7 @@ id: 2f211361-7dce-442d-b78a-c04039677378 related: - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 type: derived -status: experimental +status: test description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 6b1cef4f7..5984513a7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb related: - id: e55a5195-4724-480e-a77e-3ebe64bd3759 type: derived -status: experimental +status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 5628af37b..5b22d096c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -5,7 +5,7 @@ related: type: derived - id: ed965133-513f-41d9-a441-e38076a0798f type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems) date: 2017/03/12 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index bf4c04802..e3e58c6b4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index 30e9e89c1..df3893d2b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -3,7 +3,7 @@ id: 91e69562-2426-42ce-a647-711b8152ced6 related: - id: c86500e9-a645-4680-98d7-f882c70c1ea3 type: similar -status: experimental +status: test description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index fd1f82017..5560c705a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -1,6 +1,6 @@ title: Potential In-Memory Execution Using Reflection.Assembly id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a -status: experimental +status: test description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml index 4d15f4b03..9b7fcf1e2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -3,7 +3,7 @@ id: 3c7d1587-3b13-439f-9941-7d14313dbdfe related: - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf type: similar -status: experimental +status: test description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index feb1f9fac..1dccc7e51 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -3,7 +3,7 @@ id: 55c925c1-7195-426b-a136-a9396800e29b related: - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 type: similar -status: experimental +status: test description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index 13adc62bf..d43feb7e1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -3,7 +3,7 @@ id: df69cb1d-b891-4cd9-90c7-d617d90100ce related: - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f type: similar -status: experimental +status: test description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 3072d3a9d..cb3480643 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -1,6 +1,6 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 -status: experimental +status: test description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 49e612494..6e30760c7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Remote Session Creation id: a0edd39f-a0c6-4c17-8141-261f958e8d8f -status: experimental +status: test description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index baed83349..be739c0b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -7,7 +7,7 @@ related: type: similar - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry type: similar -status: experimental +status: test description: Detects use of Set-ExecutionPolicy to set insecure policies references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index 4488e2ae1..ca6e9f064 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Security Descriptors - ScriptBlock id: 2f77047c-e6e9-4c11-b088-a3de399524cd -status: experimental +status: test description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. references: - https://github.com/HarmJ0y/DAMP diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index 8ab4eb08f..a1b662996 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 61071b01b..fcb2b047a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -1,6 +1,6 @@ title: Change User Agents with WebRequest id: d4488827-73af-4f8d-9244-7b7662ef046e -status: experimental +status: test description: | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml index 785f036b6..f794f04bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -1,6 +1,6 @@ title: Potential Keylogger Activity id: 965e2db9-eddb-4cf6-a986-7a967df651e4 -status: experimental +status: test description: Detects PowerShell scripts that contains reference to keystroke capturing functions references: - https://twitter.com/ScumBots/status/1610626724257046529 diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index a02efba72..5b56c82bb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -3,7 +3,7 @@ id: 488b44e7-3781-4a71-888d-c95abfacf44d related: - id: 12f6b752-042d-483e-bf9c-915a6d06ad75 type: similar -status: experimental +status: test description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index 56b3043b4..abefd5c82 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -3,7 +3,7 @@ id: 504d63cb-0dba-4d02-8531-e72981aace2c related: - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 type: similar -status: experimental +status: test description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index f99ca8092..3d424306a 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -3,7 +3,7 @@ id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 related: - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab type: similar -status: experimental +status: test description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 0cbb8cd55..2ee4d6d4d 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -3,7 +3,7 @@ id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab related: - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 type: similar -status: experimental +status: test description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index ea8e5507b..557cdcec1 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -3,7 +3,7 @@ id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 related: - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 type: derived -status: experimental +status: test description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control references: - https://github.com/defaultnamehere/cookie_crimes/ diff --git a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml index 3bab78783..94c889d7f 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml @@ -3,7 +3,7 @@ id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 related: - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 type: derived -status: experimental +status: test description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 593b33c53..257b4e90b 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -1,6 +1,6 @@ title: Microsoft IIS Connection Strings Decryption id: 97dbf6e2-e436-44d8-abee-4261b24d3e41 -status: experimental +status: test description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html diff --git a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index f77f6cafa..fcd50fe54 100644 --- a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -1,6 +1,6 @@ title: ImagingDevices Unusual Parent/Child Processes id: f11f2808-adb4-46c0-802a-8660db50fa99 -status: experimental +status: test description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml index 41509fdac..6bd179fff 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml @@ -1,6 +1,6 @@ title: Using AppVLP To Circumvent ASR File Path Rule id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -status: experimental +status: test description: | Application Virtualization Utility is included with Microsoft Office. We are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml index 1640f883c..baa4e6019 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml @@ -1,6 +1,6 @@ title: Lolbin Defaultpack.exe Use As Proxy id: b2309017-4235-44fe-b5af-b15363011957 -status: experimental +status: test description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index c4cee55c9..0c064e3b4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -3,7 +3,7 @@ id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 related: - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 type: obsoletes -status: experimental +status: test description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml index 00bfdeb26..141c60a9e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml @@ -1,6 +1,6 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb -status: experimental +status: test description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml index 59ea8ff46..5395baa2c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -1,6 +1,6 @@ title: Lolbin Runexehelper Use As Proxy id: cd71385d-fd9b-4691-9b98-2b1f7e508714 -status: experimental +status: test description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs references: - https://twitter.com/0gtweet/status/1206692239839289344 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index 36ca90da1..77d8793a8 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -1,6 +1,6 @@ title: Lolbin Unregmp2.exe Use As Proxy id: 727454c0-d851-48b0-8b89-385611ab0704 -status: experimental +status: test description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml index dbed9f99d..6c5a1cd82 100644 --- a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Perl Inline Command Execution id: f426547a-e0f7-441a-b63e-854ac5bdf54d -status: experimental +status: test description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml index ae425450b..a13cb74d9 100644 --- a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Php Inline Command Execution id: d81871ef-5738-47ab-9797-7a9c90cd4bfb -status: experimental +status: test description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. references: - https://www.php.net/manual/en/features.commandline.php diff --git a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 796d5fe48..90041f383 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -3,7 +3,7 @@ id: c86500e9-a645-4680-98d7-f882c70c1ea3 related: - id: 91e69562-2426-42ce-a647-711b8152ced6 type: similar -status: experimental +status: test description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml index bc0c57874..685f4897c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -3,7 +3,7 @@ id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf related: - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe type: similar -status: experimental +status: test description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml index f62086100..030a7abc0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -1,6 +1,6 @@ title: PowerShell Web Download id: 6e897651-f157-4d8f-aaeb-df8151488385 -status: experimental +status: test description: Detects suspicious ways to download files or content using PowerShell references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd diff --git a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index 2cab5dfc3..efaf862a3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -3,7 +3,7 @@ id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 related: - id: 55c925c1-7195-426b-a136-a9396800e29b type: similar -status: experimental +status: test description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml index 72dcd5a32..cdd82e75f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml @@ -1,6 +1,6 @@ title: Suspicious Execution of Powershell with Base64 id: fb843269-508c-4b76-8b8d-88679db22ce7 -status: experimental +status: test description: Commandline to launch powershell with a base64 payload references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml index 73899bb5f..6fe238666 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Encoded Command Patterns id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c -status: experimental +status: test description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml index 93be2928f..a3f8f4a2c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -1,6 +1,6 @@ title: Powershell Inline Execution From A File id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2 -status: experimental +status: test description: Detects inline execution of PowerShell code from a file references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 3d3dc52ea..2561e2681 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -3,7 +3,7 @@ id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f related: - id: df69cb1d-b891-4cd9-90c7-d617d90100ce type: similar -status: experimental +status: test description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index 79cce4ba6..3a676d2ea 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/05 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index da3e26906..b045fe33b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -5,7 +5,7 @@ related: type: derived - id: c1337eb8-921a-4b59-855b-4ba188ddcc42 type: similar -status: experimental +status: test description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index 89c496f85..a1aceed79 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -3,7 +3,7 @@ id: deb9b646-a508-44ee-b7c9-d8965921c6b6 related: - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 type: similar -status: experimental +status: test description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml index 4523382b2..be33964e4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -1,6 +1,6 @@ title: Net WebClient Casing Anomalies id: c86133ad-4725-4bd0-8170-210788e0a7ba -status: experimental +status: test description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml index 4c039671b..7b47c7d7e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -3,7 +3,7 @@ id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 related: - id: 504d63cb-0dba-4d02-8531-e72981aace2c type: similar -status: experimental +status: test description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml index e34a064cd..bed8d9241 100644 --- a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Ruby Inline Command Execution id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 -status: experimental +status: test description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index ecb2824ea..90b7cac65 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -3,7 +3,7 @@ id: d87bd452-6da1-456e-8155-7dc988157b7d related: - id: 36c5146c-d127-4f85-8e21-01bf62355d5a type: obsoletes -status: experimental +status: test description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: - https://redcanary.com/blog/raspberry-robin/ diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index fb8279682..1e15aaf74 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Activity Using SeCEdit id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb -status: experimental +status: test description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy references: - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 9f581bf06..4f2e2ab79 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -3,7 +3,7 @@ id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b related: - id: f35c5d71-b489-4e22-a115-f003df287317 type: derived -status: experimental +status: test description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index aa5c0300c..d98c795a7 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -1,6 +1,6 @@ title: Potential RDP Session Hijacking Activity id: 224f140f-3553-4cd1-af78-13d81bf9f7cc -status: experimental +status: test description: Detects potential RDP Session Hijacking activity on Windows systems references: - https://twitter.com/Moti_B/status/909449115477659651 diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index 3f8b35c96..a5e9ca103 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -1,6 +1,6 @@ title: Change User Account Associated with the FAX Service id: e3fdf743-f05b-4051-990a-b66919be1743 -status: experimental +status: test description: Detect change of the user account associated with the FAX service to avoid the escalation problem. references: - https://twitter.com/dottor_morte/status/1544652325570191361 diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index adf10c8fc..d3d44b9c6 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -1,6 +1,6 @@ title: Change the Fax Dll id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513 -status: experimental +status: test description: Detect possible persistence using Fax DLL load when service restart references: - https://twitter.com/dottor_morte/status/1544652325570191361