Removed ATT&CK technique ids from titles and added tags

2020-01-11 00:33:50 +01:00
parent 8d6a507ec4
commit ae6fcefbcd
23 changed files with 76 additions and 31 deletions
@@ -1,4 +1,4 @@
-title: T1000 AD Object WriteDAC Access
+title: AD Object WriteDAC Access
 id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
 description: Detects WRITE_DAC access to a domain object
 status: experimental
@@ -6,6 +6,9 @@ date: 2019/09/12
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
+tags:
+    - attack.defense_evasion
+    - attack.t1222
 logsource:
    product: windows
    service: security
@@ -1,4 +1,4 @@
-title: T1003 Active Directory Replication from Non Machine Account
+title: Active Directory Replication from Non Machine Account
 id: 17d619c1-e020-4347-957e-1d1207455c93
 description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
 status: experimental
@@ -1,4 +1,4 @@
-title: T1003 DPAPI Domain Backup Key Extraction
+title: DPAPI Domain Backup Key Extraction
 id: 4ac1f50b-3bd0-4968-902d-868b4647937e
 description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
 status: experimental
@@ -1,4 +1,4 @@
-title: T1003 DPAPI Domain Master Key Backup Attempt
+title: DPAPI Domain Master Key Backup Attempt
 id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
 description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
 status: experimental
@@ -1,4 +1,4 @@
-title: T1003 Protected Storage Service Access
+title: Protected Storage Service Access
 id: 45545954-4016-43c6-855e-eae8f1c369dc
 description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
 status: experimental
@@ -1,4 +1,4 @@
-title: T1086 Remote PowerShell Sessions
+title: Remote PowerShell Sessions
 id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
 description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
 status: experimental
@@ -6,6 +6,9 @@ date: 2019/09/12
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    product: windows
    service: security
@@ -19,4 +22,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1012 SAM Registry Hive Handle Request
+title: SAM Registry Hive Handle Request
 id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
 description: Detects handles requested to SAM registry hive
 status: experimental
@@ -1,4 +1,4 @@
-title: T1000 SCM Database Handle Failure
+title: SCM Database Handle Failure
 id: 13addce7-47b2-4ca0-a98f-1de964d1d669
 description: Detects non-system users failing to get a handle of the SCM database.
 status: experimental
@@ -19,4 +19,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1000 SCM Database Privileged Operation
+title: SCM Database Privileged Operation
 id: dae8171c-5ec6-4396-b210-8466585b53e9
 description: Detects non-system users performing privileged operation os the SCM database
 status: experimental
@@ -19,4 +19,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1012 SysKey Registry Keys Access
+title: SysKey Registry Keys Access
 id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
 description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
 status: experimental
@@ -1,4 +1,4 @@
-title: T1086 Alternate PowerShell Hosts
+title: Alternate PowerShell Hosts
 id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: experimental
@@ -6,6 +6,9 @@ date: 2019/08/11
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    product: windows
    service: powershell
@@ -1,4 +1,4 @@
-title: T1086 Remote PowerShell Session
+title: Remote PowerShell Session
 id: 96b9f619-aa91-478f-bacb-c3e50f8df575
 description: Detects remote PowerShell sessions
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    product: windows
    service: powershell
@@ -20,4 +23,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1086 Non Interactive PowerShell
+title: Non Interactive PowerShell
 id: f4bbd493-b796-416e-bbf2-121235348529
 description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    category: process_creation
    product: windows
@@ -1,4 +1,4 @@
-title: T1086 Remote PowerShell Session
+title: Remote PowerShell Session
 id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
 description: Detects remote PowerShell seccions by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote sessionn)
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    category: process_creation
    product: windows
@@ -1,4 +1,4 @@
-title: T1047 Wmiprvse Spawning Process
+title: Wmiprvse Spawning Process
 id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
 description: Detects wmiprvse spawning processes
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md
+tags:
+    - attack.execution
+    - attack.t1047
 logsource:
    category: process_creation
    product: windows
@@ -18,4 +21,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1086 Alternate PowerShell Hosts
+title: Alternate PowerShell Hosts
 id: f67f6c57-257d-4919-a416-69cd31f9aac3
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    product: windows
    service: sysmon
@@ -20,4 +23,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1086 Alternate PowerShell Hosts
+title: Alternate PowerShell Hosts
 id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    product: windows
    service: sysmon
@@ -1,4 +1,4 @@
-title: T1055 CreateRemoteThread API and LoadLibrary
+title: CreateRemoteThread API and LoadLibrary
 id: 052ec6f6-1adc-41e6-907a-f1c813478bee
 description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
+tags:
+    - attack.defense_evasion
+    - attack.t1055
 logsource:
    product: windows
    service: sysmon
@@ -18,4 +21,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1086 PowerShell Execution
+title: PowerShell Execution
 id: 867613fb-fa60-4497-a017-a82df74a172c
 description: Detects execution of PowerShell
 status: experimental
@@ -10,6 +10,9 @@ references:
 logsource:
    product: windows
    service: sysmon
+tags:
+    - attack.execution
+    - attack.t1086
 detection:
    selection: 
        EventID: 7
@@ -1,4 +1,4 @@
-title: T1086 PowerShell Execution
+title: PowerShell Execution
 id: d32b53ce-2a41-4db0-a42a-fb574d819d97
 description: Detects execution of PowerShell
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    product: windows
    service: sysmon
@@ -1,4 +1,4 @@
-title: T1112 RDP Registry Modification
+title: RDP Registry Modification
 id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
 description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md
+tags:
+    - attack.defense_evasion
+    - attack.t1112
 logsource:
    product: windows
    service: sysmon
@@ -1,4 +1,4 @@
-title: T1086 Remote PowerShell Session
+title: Remote PowerShell Session
 id: c539afac-c12a-46ed-b1bd-5a5567c9f045
 description: Detects remote PowerShell seccions by monitoring network outbount connections to ports 5985 or 5986 from not network service account
 status: experimental
@@ -6,6 +6,9 @@ date: 2019/09/12
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
    product: windows
    service: sysmon
@@ -20,4 +23,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: T1047 WMI Modules Loaded
+title: WMI Modules Loaded
 id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 description: Detects non wmiprvse loading WMI modules
 status: experimental
@@ -7,6 +7,9 @@ modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md
+tags:
+    - attack.execution
+    - attack.t1047
 logsource:
    product: windows
    service: sysmon