From ab663f9bcf9555cd99f61c2510b59c2994246b86 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 20 Nov 2021 10:56:41 +0100
Subject: [PATCH] Add MITTRE Technique

---
 .../powershell_invoke_nightmare.yml           |  1 +
 ...hell_windows_firewall_profile_disabled.yml | 31 ++++++------
 .../process_creation_apt_slingshot.yml        |  1 +
 .../process_creation_coti_sqlcmd.yml          |  1 +
 .../win_crypto_mining_monero.yml              | 47 ++++++++++---------
 ...in_monitoring_for_persistence_via_bits.yml |  1 +
 .../win_silenttrinity_stage_use.yml           |  1 +
 7 files changed, 46 insertions(+), 37 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
index 5ad5d0275..4b0d42d1c 100644
--- a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
+++ b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
@@ -20,3 +20,4 @@ falsepositives:
 level: high
 tags:
     - attack.privilege_escalation
+    - attack.t1548
diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
index db4941656..a245cab0b 100644
--- a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
+++ b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
@@ -6,23 +6,24 @@ author: Austin Songer @austinsonger
 date: 2021/10/12
 modified: 2021/10/16
 references:
-- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
-- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
-- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
-- http://woshub.com/manage-windows-firewall-powershell/
+    - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
+    - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
+    - http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
+    - http://woshub.com/manage-windows-firewall-powershell/
 logsource:
-  product: windows
-  category: ps_script
+      product: windows
+      category: ps_script
 detection: 
-  selection:
-    ScriptBlockText|contains|all:
-      - Set-NetFirewallProfile
-      - -Profile
-      - -Enabled
-      - 'False'
-  condition: selection
+    selection:
+        ScriptBlockText|contains|all:
+            - Set-NetFirewallProfile
+            - -Profile
+            - -Enabled
+            - 'False'
+    condition: selection
 tags:
-- attack.defense_evasion
+    - attack.defense_evasion
+    - attack.t1562.004
 level: high
 falsepositives:
-- Unknown
+    - Unknown
diff --git a/rules/windows/process_creation/process_creation_apt_slingshot.yml b/rules/windows/process_creation/process_creation_apt_slingshot.yml
index 7daf55bc5..6e04b4af0 100755
--- a/rules/windows/process_creation/process_creation_apt_slingshot.yml
+++ b/rules/windows/process_creation/process_creation_apt_slingshot.yml
@@ -9,6 +9,7 @@ references:
     - https://securelist.com/apt-slingshot/84312/
 tags:
     - attack.persistence
+    - attack.t1053.005
     - attack.s0111
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml
index 2b141c5d4..2e18a0f15 100644
--- a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml
+++ b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml
@@ -10,6 +10,7 @@ references:
     - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
 tags:
     - attack.collection
+    - attack.t1005
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_crypto_mining_monero.yml b/rules/windows/process_creation/win_crypto_mining_monero.yml
index d4bade380..4db11b093 100644
--- a/rules/windows/process_creation/win_crypto_mining_monero.yml
+++ b/rules/windows/process_creation/win_crypto_mining_monero.yml
@@ -10,27 +10,30 @@ logsource:
     category: process_creation
     product: windows
 detection:
-   selection:
-      CommandLine|contains:
-        - ' --cpu-priority='
-        - '--donate-level=0'
-        - ' -o pool.'
-        - ' --nicehash'
-        - ' --algo=rx/0 '
-        - 'stratum+tcp://'
-        - 'stratum+udp://'
-        # base64 encoded: --donate-level=
-        - 'LS1kb25hdGUtbGV2ZWw9'
-        - '0tZG9uYXRlLWxldmVsP'
-        - 'tLWRvbmF0ZS1sZXZlbD'
-        # base64 encoded: stratum+tcp:// and stratum+udp:// 
-        - 'c3RyYXR1bSt0Y3A6Ly'
-        - 'N0cmF0dW0rdGNwOi8v'
-        - 'zdHJhdHVtK3RjcDovL'
-        - 'c3RyYXR1bSt1ZHA6Ly'
-        - 'N0cmF0dW0rdWRwOi8v'
-        - 'zdHJhdHVtK3VkcDovL'
-   condition: selection
+    selection:
+         CommandLine|contains:
+            - ' --cpu-priority='
+            - '--donate-level=0'
+            - ' -o pool.'
+            - ' --nicehash'
+            - ' --algo=rx/0 '
+            - 'stratum+tcp://'
+            - 'stratum+udp://'
+            # base64 encoded: --donate-level=
+            - 'LS1kb25hdGUtbGV2ZWw9'
+            - '0tZG9uYXRlLWxldmVsP'
+            - 'tLWRvbmF0ZS1sZXZlbD'
+            # base64 encoded: stratum+tcp:// and stratum+udp:// 
+            - 'c3RyYXR1bSt0Y3A6Ly'
+            - 'N0cmF0dW0rdGNwOi8v'
+            - 'zdHJhdHVtK3RjcDovL'
+            - 'c3RyYXR1bSt1ZHA6Ly'
+            - 'N0cmF0dW0rdWRwOi8v'
+            - 'zdHJhdHVtK3VkcDovL'
+    condition: selection
 falsepositives:
-   - Legitimate use of crypto miners
+    - Legitimate use of crypto miners
 level: high
+tags:
+    - attack.impact
+    - attack.t1496
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
index c5aa53dbd..01c24de68 100644
--- a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
+++ b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
@@ -7,6 +7,7 @@ date: 2020/10/29
 modified: 2021/07/15
 tags:
     - attack.defense_evasion
+    - attack.t1197
 references:
     - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
     - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml
index 5a140744e..bc5d7d4b2 100644
--- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml
+++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml
@@ -9,6 +9,7 @@ date: 2019/10/22
 modified: 2021/09/19
 tags:
     - attack.command_and_control
+    - attack.t1071
 logsource:
     category: process_creation
     product: windows