diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml index fcecea5d0..5f732c52f 100644 --- a/rules/windows/builtin/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/win_ad_object_writedac_access.yml @@ -1,4 +1,4 @@ -title: T1000 AD Object WriteDAC Access +title: AD Object WriteDAC Access id: 028c7842-4243-41cd-be6f-12f3cf1a26c7 description: Detects WRITE_DAC access to a domain object status: experimental @@ -6,6 +6,9 @@ date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md +tags: + - attack.defense_evasion + - attack.t1222 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml index 5c1be265c..93580c596 100644 --- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -1,4 +1,4 @@ -title: T1003 Active Directory Replication from Non Machine Account +title: Active Directory Replication from Non Machine Account id: 17d619c1-e020-4347-957e-1d1207455c93 description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. status: experimental diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml index 114fc5d58..3093a0864 100644 --- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -1,4 +1,4 @@ -title: T1003 DPAPI Domain Backup Key Extraction +title: DPAPI Domain Backup Key Extraction id: 4ac1f50b-3bd0-4968-902d-868b4647937e description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers status: experimental diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index 7db784e55..f488f98a3 100644 --- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -1,4 +1,4 @@ -title: T1003 DPAPI Domain Master Key Backup Attempt +title: DPAPI Domain Master Key Backup Attempt id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014 description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. status: experimental diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml index 14ab7787c..d77180197 100644 --- a/rules/windows/builtin/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/win_protected_storage_service_access.yml @@ -1,4 +1,4 @@ -title: T1003 Protected Storage Service Access +title: Protected Storage Service Access id: 45545954-4016-43c6-855e-eae8f1c369dc description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers status: experimental diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 0217a0a7e..ee1028240 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -1,4 +1,4 @@ -title: T1086 Remote PowerShell Sessions +title: Remote PowerShell Sessions id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental @@ -6,6 +6,9 @@ date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +tags: + - attack.execution + - attack.t1086 logsource: product: windows service: security @@ -19,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml index a920f3985..641c545be 100644 --- a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml @@ -1,4 +1,4 @@ -title: T1012 SAM Registry Hive Handle Request +title: SAM Registry Hive Handle Request id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332 description: Detects handles requested to SAM registry hive status: experimental diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index 1579b2856..238013851 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -1,4 +1,4 @@ -title: T1000 SCM Database Handle Failure +title: SCM Database Handle Failure id: 13addce7-47b2-4ca0-a98f-1de964d1d669 description: Detects non-system users failing to get a handle of the SCM database. status: experimental @@ -19,4 +19,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index be1e0ca9f..9c9df1cb1 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -1,4 +1,4 @@ -title: T1000 SCM Database Privileged Operation +title: SCM Database Privileged Operation id: dae8171c-5ec6-4396-b210-8466585b53e9 description: Detects non-system users performing privileged operation os the SCM database status: experimental @@ -19,4 +19,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml index 3be0c313e..ff56999a5 100644 --- a/rules/windows/builtin/win_syskey_registry_access.yml +++ b/rules/windows/builtin/win_syskey_registry_access.yml @@ -1,4 +1,4 @@ -title: T1012 SysKey Registry Keys Access +title: SysKey Registry Keys Access id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 description: Detects handle requests and access operations to specific registry keys to calculate the SysKey status: experimental diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index dab0b8b4a..40a47197b 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -1,4 +1,4 @@ -title: T1086 Alternate PowerShell Hosts +title: Alternate PowerShell Hosts id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental @@ -6,6 +6,9 @@ date: 2019/08/11 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +tags: + - attack.execution + - attack.t1086 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 3c7bfa8e9..aabde34d7 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -1,4 +1,4 @@ -title: T1086 Remote PowerShell Session +title: Remote PowerShell Session id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +tags: + - attack.execution + - attack.t1086 logsource: product: windows service: powershell @@ -20,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 32629837b..0333dde00 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -1,4 +1,4 @@ -title: T1086 Non Interactive PowerShell +title: Non Interactive PowerShell id: f4bbd493-b796-416e-bbf2-121235348529 description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +tags: + - attack.execution + - attack.t1086 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 4d2a79da3..7d7ffe50e 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,4 +1,4 @@ -title: T1086 Remote PowerShell Session +title: Remote PowerShell Session id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 description: Detects remote PowerShell seccions by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote sessionn) status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +tags: + - attack.execution + - attack.t1086 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index 00520c05d..a292011c9 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -1,4 +1,4 @@ -title: T1047 Wmiprvse Spawning Process +title: Wmiprvse Spawning Process id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md +tags: + - attack.execution + - attack.t1047 logsource: category: process_creation product: windows @@ -18,4 +21,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml index 22612450e..85350e7db 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml @@ -1,4 +1,4 @@ -title: T1086 Alternate PowerShell Hosts +title: Alternate PowerShell Hosts id: f67f6c57-257d-4919-a416-69cd31f9aac3 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +tags: + - attack.execution + - attack.t1086 logsource: product: windows service: sysmon @@ -20,4 +23,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml index d82b03a58..70132598b 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -1,4 +1,4 @@ -title: T1086 Alternate PowerShell Hosts +title: Alternate PowerShell Hosts id: 58cb02d5-78ce-4692-b3e1-dce850aae41a description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +tags: + - attack.execution + - attack.t1086 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml index 4daf1e655..5c560981a 100644 --- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml @@ -1,4 +1,4 @@ -title: T1055 CreateRemoteThread API and LoadLibrary +title: CreateRemoteThread API and LoadLibrary id: 052ec6f6-1adc-41e6-907a-f1c813478bee description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md +tags: + - attack.defense_evasion + - attack.t1055 logsource: product: windows service: sysmon @@ -18,4 +21,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml index b1b96d0b2..124c8312b 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml @@ -1,4 +1,4 @@ -title: T1086 PowerShell Execution +title: PowerShell Execution id: 867613fb-fa60-4497-a017-a82df74a172c description: Detects execution of PowerShell status: experimental @@ -10,6 +10,9 @@ references: logsource: product: windows service: sysmon +tags: + - attack.execution + - attack.t1086 detection: selection: EventID: 7 diff --git a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml index 1025c4591..d41b96f55 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml +++ b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml @@ -1,4 +1,4 @@ -title: T1086 PowerShell Execution +title: PowerShell Execution id: d32b53ce-2a41-4db0-a42a-fb574d819d97 description: Detects execution of PowerShell status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +tags: + - attack.execution + - attack.t1086 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml index 3636a93c0..634dbb141 100644 --- a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml +++ b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml @@ -1,4 +1,4 @@ -title: T1112 RDP Registry Modification +title: RDP Registry Modification id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md +tags: + - attack.defense_evasion + - attack.t1112 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml index bca594a84..23df41651 100644 --- a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml @@ -1,4 +1,4 @@ -title: T1086 Remote PowerShell Session +title: Remote PowerShell Session id: c539afac-c12a-46ed-b1bd-5a5567c9f045 description: Detects remote PowerShell seccions by monitoring network outbount connections to ports 5985 or 5986 from not network service account status: experimental @@ -6,6 +6,9 @@ date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +tags: + - attack.execution + - attack.t1086 logsource: product: windows service: sysmon @@ -20,4 +23,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml index f9684b08d..155ac05dc 100644 --- a/rules/windows/sysmon/sysmon_wmi_module_load.yml +++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml @@ -1,4 +1,4 @@ -title: T1047 WMI Modules Loaded +title: WMI Modules Loaded id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental @@ -7,6 +7,9 @@ modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md +tags: + - attack.execution + - attack.t1047 logsource: product: windows service: sysmon