From ae960f088141db34ea2c90cdf2747152476e8bd7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 12:50:36 +0100 Subject: [PATCH] Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test` chore: promote older rules status from experimental to test Co-authored-by: nasbench --- ...on_win_exploit_cve_2021_40444_office_directory_traversal.yml | 2 +- ...n_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml | 2 +- .../CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml | 2 +- ...c_creation_win_exploit_other_win_server_undocumented_rce.yml | 2 +- .../builtin/security/win_security_scheduled_task_deletion.yml | 2 +- ...isky_sign_ins_with_singlefactorauth_from_unknown_devices.yml | 2 +- rules/cloud/github/github_delete_action_invoked.yml | 2 +- rules/cloud/github/github_disable_high_risk_configuration.yml | 2 +- .../github_disabled_outdated_dependency_or_vulnerability.yml | 2 +- rules/cloud/github/github_new_org_member.yml | 2 +- rules/cloud/github/github_new_secret_created.yml | 2 +- rules/cloud/github/github_outside_collaborator_detected.yml | 2 +- .../cloud/github/github_self_hosted_runner_changes_detected.yml | 2 +- rules/cloud/okta/okta_admin_role_assignment_created.yml | 2 +- .../builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml | 2 +- .../builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml | 2 +- rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml | 2 +- rules/linux/builtin/lnx_susp_dev_tcp.yml | 2 +- .../proc_creation_lnx_bpf_kprob_tracing_enabled.yml | 2 +- .../proc_creation_lnx_cp_passwd_or_shadow_tmp.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml | 2 +- .../process_creation/proc_creation_lnx_iptables_flush_ufw.yml | 2 +- .../linux/process_creation/proc_creation_lnx_mount_hidepid.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_touch_susp.yml | 2 +- .../proc_creation_macos_clipboard_data_via_osascript.yml | 2 +- .../proc_creation_macos_jxa_in_memory_execution.yml | 2 +- .../proc_creation_macos_office_susp_child_processes.yml | 2 +- .../proc_creation_macos_osacompile_runonly_execution.yml | 2 +- rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml | 2 +- rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml | 2 +- rules/network/huawei/bgp/huawei_bgp_auth_failed.yml | 2 +- rules/network/juniper/bgp/juniper_bgp_missing_md5.yml | 2 +- rules/web/webserver_generic/web_java_payload_in_access_logs.yml | 2 +- .../win_software_restriction_policies_block.yml | 2 +- .../win_appxdeployment_server_applocker_block.yml | 2 +- .../win_appxdeployment_server_mal_appx_names.yml | 2 +- .../win_appxdeployment_server_policy_block.yml | 2 +- ...win_appxdeployment_server_susp_appx_package_installation.yml | 2 +- .../win_appxdeployment_server_susp_package_locations.yml | 2 +- .../win_appxdeployment_server_uncommon_package_locations.yml | 2 +- .../win_appxpackaging_om_sups_appx_signature.yml | 2 +- .../builtin/dns_client/win_dns_client_anonymfiles_com.yml | 2 +- .../builtin/firewall_as/win_firewall_as_failed_load_gpo.yml | 2 +- rules/windows/dns_query/dns_query_win_anonymfiles_com.yml | 2 +- .../file_event_win_susp_startup_folder_persistence.yml | 2 +- .../file_event_win_susp_vscode_powershell_profile.yml | 2 +- .../image_load/image_load_side_load_non_existent_dlls.yml | 2 +- .../posh_pm_active_directory_module_dll_import.yml | 2 +- .../powershell/powershell_module/posh_pm_exploit_scripts.yml | 2 +- .../powershell/powershell_module/posh_pm_susp_download.yml | 2 +- .../posh_ps_active_directory_module_dll_import.yml | 2 +- .../powershell/powershell_script/posh_ps_audio_exfiltration.yml | 2 +- .../powershell_script/posh_ps_import_module_susp_dirs.yml | 2 +- .../posh_ps_install_unsigned_appx_packages.yml | 2 +- .../powershell_script/posh_ps_nishang_malicious_commandlets.yml | 2 +- .../powershell_script/posh_ps_susp_alias_obfscuation.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_set_alias.yml | 2 +- .../powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml | 2 +- rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml | 2 +- rules/windows/process_access/proc_access_win_invoke_phantom.yml | 2 +- .../proc_creation_win_cmdkey_adding_generic_creds.yml | 2 +- .../windows/process_creation/proc_creation_win_cmdkey_recon.yml | 2 +- .../proc_creation_win_deviceenroller_dll_sideloading.yml | 2 +- .../process_creation/proc_creation_win_dirlister_execution.yml | 2 +- .../process_creation/proc_creation_win_dnscmd_discovery.yml | 2 +- .../proc_creation_win_dsacls_abuse_permissions.yml | 2 +- .../proc_creation_win_dsacls_password_spray.yml | 2 +- .../proc_creation_win_fsutil_symlinkevaluation.yml | 2 +- .../process_creation/proc_creation_win_git_susp_clone.yml | 2 +- .../proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml | 2 +- .../proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml | 2 +- .../proc_creation_win_hktl_execution_via_imphashes.yml | 2 +- .../proc_creation_win_hktl_execution_via_pe_metadata.yml | 2 +- .../process_creation/proc_creation_win_hktl_handlekatz.yml | 2 +- .../proc_creation_win_hktl_htran_or_natbypass.yml | 2 +- .../windows/process_creation/proc_creation_win_hktl_inveigh.yml | 2 +- .../process_creation/proc_creation_win_hktl_krbrelay.yml | 2 +- .../process_creation/proc_creation_win_hktl_krbrelayup.yml | 2 +- .../process_creation/proc_creation_win_hktl_powertool.yml | 2 +- .../process_creation/proc_creation_win_hktl_safetykatz.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharpersist.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharpldapwhoami.yml | 2 +- .../process_creation/proc_creation_win_hktl_sysmoneop.yml | 2 +- .../proc_creation_win_iis_appcmd_http_logging.yml | 2 +- ..._creation_win_iis_appcmd_service_account_password_dumped.yml | 2 +- .../proc_creation_win_iis_appcmd_susp_rewrite_rule.yml | 2 +- .../proc_creation_win_java_keytool_susp_child_process.yml | 2 +- rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml | 2 +- .../proc_creation_win_msra_process_injection.yml | 2 +- .../proc_creation_win_mstsc_remote_connection.yml | 2 +- .../process_creation/proc_creation_win_nltest_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_nltest_recon.yml | 2 +- rules/windows/process_creation/proc_creation_win_node_abuse.yml | 2 +- .../proc_creation_win_office_spawn_exe_from_users_directory.yml | 2 +- .../proc_creation_win_office_svchost_parent.yml | 2 +- .../process_creation/proc_creation_win_pdqdeploy_execution.yml | 2 +- ...eation_win_powershell_active_directory_module_dll_import.yml | 2 +- .../proc_creation_win_powershell_base64_mppreference.yml | 2 +- .../proc_creation_win_powershell_base64_wmi_classes.yml | 2 +- .../proc_creation_win_powershell_import_cert_susp_locations.yml | 2 +- .../proc_creation_win_powershell_import_module_susp_dirs.yml | 2 +- ...c_creation_win_powershell_install_unsigned_appx_packages.yml | 2 +- .../process_creation/proc_creation_win_pua_defendercheck.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_frp.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_nps.yml | 2 +- .../windows/process_creation/proc_creation_win_pua_seatbelt.yml | 2 +- .../process_creation/proc_creation_win_query_session_exfil.yml | 2 +- .../proc_creation_win_reg_defender_exclusion.yml | 2 +- .../process_creation/proc_creation_win_reg_delete_safeboot.yml | 2 +- .../process_creation/proc_creation_win_reg_delete_services.yml | 2 +- .../proc_creation_win_reg_lsa_disable_restricted_admin.yml | 2 +- .../proc_creation_win_registry_new_network_provider.yml | 2 +- ...roc_creation_win_registry_set_unsecure_powershell_policy.yml | 2 +- .../process_creation/proc_creation_win_renamed_browsercore.yml | 2 +- .../process_creation/proc_creation_win_renamed_mavinject.yml | 2 +- .../windows/process_creation/proc_creation_win_renamed_msdt.yml | 2 +- .../proc_creation_win_renamed_netsupport_rat.yml | 2 +- .../process_creation/proc_creation_win_renamed_plink.yml | 2 +- .../proc_creation_win_renamed_rundll32_dllregisterserver.yml | 2 +- .../process_creation/proc_creation_win_renamed_rurat.yml | 2 +- .../proc_creation_win_renamed_sysinternals_sdelete.yml | 2 +- .../process_creation/proc_creation_win_renamed_vmnat.yml | 2 +- .../process_creation/proc_creation_win_rundll32_script_run.yml | 2 +- .../proc_creation_win_schtasks_one_time_only_midnight_task.yml | 2 +- .../proc_creation_win_schtasks_powershell_persistence.yml | 2 +- .../proc_creation_win_sqlite_chromium_profile_data.yml | 2 +- .../proc_creation_win_sqlite_firefox_gecko_profile_data.yml | 2 +- .../process_creation/proc_creation_win_ssh_rdp_tunneling.yml | 2 +- .../process_creation/proc_creation_win_susp_execution_path.yml | 2 +- .../proc_creation_win_susp_inline_win_api_access.yml | 2 +- .../proc_creation_win_sysinternals_psloglist.yml | 2 +- ...eation_win_systemsettingsadminflows_turn_on_dev_features.yml | 2 +- .../registry_event/registry_event_susp_atbroker_change.yml | 2 +- .../registry_set_susp_pendingfilerenameoperations.yml | 2 +- 134 files changed, 134 insertions(+), 134 deletions(-) diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 1d4be35ab..286d33c83 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -1,6 +1,6 @@ title: Potential Exploitation Attempt From Office Application id: 868955d9-697e-45d4-a3da-360cefd7c216 -status: experimental +status: test description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) references: - https://twitter.com/sbousseaden/status/1531653369546301440 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml index 153ec5086..5c46a52bb 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-26809 Exploitation Attempt id: a7cd7306-df8b-4398-b711-6f3e4935cf16 -status: experimental +status: test description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml index d7bb5eb9e..9c1ef9ed6 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1 -status: experimental +status: test description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877 references: - https://seclists.org/fulldisclosure/2023/Jan/1 diff --git a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml index 08fd3e661..2febe5e8b 100644 --- a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml +++ b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml @@ -1,6 +1,6 @@ title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d -status: experimental +status: test description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) references: - https://github.com/SigmaHQ/sigma/pull/3946 diff --git a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml index 117a4da65..48dc06bc9 100644 --- a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -1,6 +1,6 @@ title: Scheduled Task Deletion id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 -status: experimental +status: test description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME references: - https://twitter.com/matthewdunwoody/status/1352356685982146562 diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index d8a495a7d..dee8102de 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -1,6 +1,6 @@ title: Suspicious SignIns From A Non Registered Device id: 572b12d4-9062-11ed-a1eb-0242ac120002 -status: experimental +status: test description: Detects risky authencaition from a non AD registered device without MFA being required. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 50fb5e72c..e0d8f5847 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -1,6 +1,6 @@ title: Github Delete Action Invoked id: 16a71777-0b2e-4db7-9888-9d59cb75200b -status: experimental +status: test description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. author: Muhammad Faisal date: 2023/01/19 diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml index 02c00f418..fbe4fa23b 100644 --- a/rules/cloud/github/github_disable_high_risk_configuration.yml +++ b/rules/cloud/github/github_disable_high_risk_configuration.yml @@ -1,6 +1,6 @@ title: Github High Risk Configuration Disabled id: 8622c92d-c00e-463c-b09d-fd06166f6794 -status: experimental +status: test description: Detects when a user disables a critical security feature for an organization. author: Muhammad Faisal date: 2023/01/29 diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml index 02052af78..5ad33bcf3 100644 --- a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml +++ b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -1,6 +1,6 @@ title: Outdated Dependency Or Vulnerability Alert Disabled id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d -status: experimental +status: test description: | Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml index a23d3a98b..505626f1d 100644 --- a/rules/cloud/github/github_new_org_member.yml +++ b/rules/cloud/github/github_new_org_member.yml @@ -1,6 +1,6 @@ title: New Github Organization Member Added id: 3908d64a-3c06-4091-b503-b3a94424533b -status: experimental +status: test description: Detects when a new member is added or invited to a github organization. author: Muhammad Faisal date: 2023/01/29 diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 96767ef89..7daa5cc37 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -1,6 +1,6 @@ title: Github New Secret Created id: f9405037-bc97-4eb7-baba-167dad399b83 -status: experimental +status: test description: Detects when a user creates action secret for the organization, environment, codespaces or repository. author: Muhammad Faisal date: 2023/01/20 diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index fbd16b49e..612782967 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -1,6 +1,6 @@ title: Github Outside Collaborator Detected id: eaa9ac35-1730-441f-9587-25767bde99d7 -status: experimental +status: test description: | Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. author: Muhammad Faisal diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml index 7dc420524..23f9b0cb4 100644 --- a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -1,6 +1,6 @@ title: Github Self Hosted Runner Changes Detected id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd -status: experimental +status: test description: | A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, diff --git a/rules/cloud/okta/okta_admin_role_assignment_created.yml b/rules/cloud/okta/okta_admin_role_assignment_created.yml index f8fa20391..e16a60c69 100644 --- a/rules/cloud/okta/okta_admin_role_assignment_created.yml +++ b/rules/cloud/okta/okta_admin_role_assignment_created.yml @@ -1,6 +1,6 @@ title: Okta Admin Role Assignment Created id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c -status: experimental +status: test description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index a4f894a3c..27829b539 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -1,6 +1,6 @@ title: PwnKit Local Privilege Escalation id: 0506a799-698b-43b4-85a1-ac4c84c720e9 -status: experimental +status: test description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs references: - https://twitter.com/wdormann/status/1486161836961579020 diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml index 6b91e6096..91ef302ee 100644 --- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -1,6 +1,6 @@ title: Nimbuspwn Exploitation id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8 -status: experimental +status: test description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) references: - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml index 5df226990..624efdca8 100644 --- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml +++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml @@ -1,6 +1,6 @@ title: Potential Suspicious BPF Activity - Linux id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a -status: experimental +status: test description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system. references: - https://redcanary.com/blog/ebpf-malware/ diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index 324126620..d8f68a34f 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -1,6 +1,6 @@ title: Suspicious Use of /dev/tcp id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c -status: experimental +status: test description: Detects suspicious command with /dev/tcp references: - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ diff --git a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml index f3bff8bb7..eb6839b7b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -1,6 +1,6 @@ title: Enable BPF Kprobes Tracing id: 7692f583-bd30-4008-8615-75dab3f08a99 -status: experimental +status: test description: Detects common command used to enable bpf kprobes tracing references: - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ diff --git a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml index 09f4affa6..585d63236 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml @@ -1,6 +1,6 @@ title: Copy Passwd Or Shadow From TMP Path id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba -status: experimental +status: test description: Detects when the file "passwd" or "shadow" is copied from tmp path references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml index 3282ade13..f99cf647c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml @@ -1,6 +1,6 @@ title: Ufw Force Stop Using Ufw-Init id: 84c9e83c-599a-458a-a0cb-0ecce44e807a -status: experimental +status: test description: Detects attempts to force stop the ufw using ufw-init references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml index dde4d2f5a..7c13288f2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -1,6 +1,6 @@ title: Flush Iptables Ufw Chain id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab -status: experimental +status: test description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml index 4aff51475..2629345c5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml @@ -1,6 +1,6 @@ title: Mount Execution With Hidepid Parameter id: ec52985a-d024-41e3-8ff6-14169039a0b3 -status: experimental +status: test description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml index 1c0389fff..ac6b07c9c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml @@ -1,6 +1,6 @@ title: Touch Suspicious Service File id: 31545105-3444-4584-bebf-c466353230d2 -status: experimental +status: test description: Detects usage of the "touch" process in service file. references: - https://blogs.blackberry.com/ diff --git a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml index 2ba571211..4e7ef66d7 100644 --- a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml +++ b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml @@ -3,7 +3,7 @@ id: 7794fa3c-edea-4cff-bec7-267dd4770fd7 related: - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 type: derived -status: experimental +status: test description: Detects possible collection of data from the clipboard via execution of the osascript binary references: - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml index c2d032152..d17fb3ffd 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml @@ -3,7 +3,7 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 related: - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 type: derived -status: experimental +status: test description: Detects possible malicious execution of JXA in-memory via OSAScript references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml index 7e26acd3f..84af621ca 100644 --- a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml +++ b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Suspicious Microsoft Office Child Process - MacOS id: 69483748-1525-4a6c-95ca-90dc8d431b68 -status: experimental +status: test description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml index b0df25c9d..ed9df6e6a 100644 --- a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml @@ -1,6 +1,6 @@ title: OSACompile Run-Only Execution id: b9d9b652-d8ed-4697-89a2-a1186ee680ac -status: experimental +status: test description: Detects potential suspicious run-only executions compiled using OSACompile references: - https://redcanary.com/blog/applescript/ diff --git a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml index cb47c973c..c71615765 100644 --- a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml +++ b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml @@ -1,6 +1,6 @@ title: Cisco BGP Authentication Failures id: 56fa3cd6-f8d6-4520-a8c7-607292971886 -status: experimental +status: test description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml index 29296f87c..10800ba25 100644 --- a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml +++ b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml @@ -1,6 +1,6 @@ title: Cisco LDP Authentication Failures id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b -status: experimental +status: test description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml index 7f204229c..5021d7aed 100644 --- a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml +++ b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml @@ -1,6 +1,6 @@ title: Huawei BGP Authentication Failures id: a557ffe6-ac54-43d2-ae69-158027082350 -status: experimental +status: test description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing. references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml index 5dee02c5b..1982086a1 100644 --- a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml +++ b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml @@ -1,6 +1,6 @@ title: Juniper BGP Missing MD5 id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43 -status: experimental +status: test description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing. references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml index 362580333..4de443dd8 100644 --- a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml +++ b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml @@ -1,6 +1,6 @@ title: Java Payload Strings id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c -status: experimental +status: test description: Detects possible Java payloads in web access logs references: - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index 0a1e59213..d88d26564 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -1,6 +1,6 @@ title: Restricted Software Access By SRP id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442 -status: experimental +status: test description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy references: - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml index f40f96633..89a606da3 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml @@ -1,6 +1,6 @@ title: Deployment AppX Package Was Blocked By AppLocker id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f -status: experimental +status: test description: Detects an appx package deployment that was blocked by AppLocker policy references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 520a58bf4..3f25523bf 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -1,6 +1,6 @@ title: Potential Malicious AppX Package Installation Attempts id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce -status: experimental +status: test description: Detects potential installation or installation attempts of known malicious appx packages references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index 6cdfef035..67f5cdd79 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -1,6 +1,6 @@ title: Deployment Of The AppX Package Was Blocked By The Policy id: e021bbb5-407f-41f5-9dc9-1864c45a7a51 -status: experimental +status: test description: Detects an appx package deployment that was blocked by the local computer policy references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index 67fabeac2..e6e7a0a2a 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -1,6 +1,6 @@ title: Suspicious AppX Package Installation Attempt id: 898d5fc9-fbc3-43de-93ad-38e97237c344 -status: experimental +status: test description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml index 19b333749..050c81c62 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -1,6 +1,6 @@ title: Suspicious AppX Package Locations id: 5cdeaf3d-1489-477c-95ab-c318559fc051 -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index dedc37ede..76767c6bd 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -1,6 +1,6 @@ title: Uncommon AppX Package Locations id: c977cb50-3dff-4a9f-b873-9290f56132f1 -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations references: - Internal Research diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index af67b2857..065666b05 100644 --- a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -1,6 +1,6 @@ title: Suspicious Digital Signature Of AppX Package id: b5aa7d60-c17e-4538-97de-09029d6cd76b -status: experimental +status: test description: Detects execution of AppX packages with known suspicious or malicious signature references: - Internal Research diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml index c7e01fa2b..6b34ee5bc 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -3,7 +3,7 @@ id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 related: - id: 065cceea-77ec-4030-9052-fc0affea7110 type: similar -status: experimental +status: test description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 3bd155fc1..b4993af05 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -1,6 +1,6 @@ title: The Windows Defender Firewall Service Failed To Load Group Policy id: 7ec15688-fd24-4177-ba43-1a950537ee39 -status: experimental +status: test description: Detects activity when The Windows Defender Firewall service failed to load Group Policy references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index e170875b2..65ff6870d 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -3,7 +3,7 @@ id: 065cceea-77ec-4030-9052-fc0affea7110 related: - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 type: similar -status: experimental +status: test description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index ac6800220..67b11b2ea 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -3,7 +3,7 @@ id: 28208707-fe31-437f-9a7f-4b1108b94d2e related: - id: 2aa0a6b4-a865-495b-ab51-c28249537b75 type: similar -status: experimental +status: test description: Detects when a file with a suspicious extension is created in the startup folder references: - https://github.com/last-byte/PersistenceSniper diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index eb023d40d..580481f12 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -3,7 +3,7 @@ id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 related: - id: b5b78988-486d-4a80-b991-930eff3ff8bf type: similar -status: experimental +status: test description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index e9ce6fbd2..0d674de97 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -3,7 +3,7 @@ id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 related: - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule type: similar -status: experimental +status: test description: Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation references: - https://decoded.avast.io/martinchlumecky/png-steganography/ diff --git a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml index 69cb7347b..c3a3cb8ed 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 9e620995-f2d8-4630-8430-4afd89f77604 type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index 6681b9021..67a3c7e88 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -5,7 +5,7 @@ related: type: similar - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 type: obsoletes -status: experimental +status: test description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: - https://github.com/PowerShellMafia/PowerSploit diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 6730552bc..66054fa1f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -3,7 +3,7 @@ id: de41232e-12e8-49fa-86bc-c05c7e722df9 related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 type: derived -status: experimental +status: test description: Detects suspicious PowerShell download command author: Florian Roth (Nextron Systems) date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml index 51ed8b287..25c9abb2a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 74176142-4684-4d8a-8b0a-713257e7df8e type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index 987d0f8e9..eddd5f9c4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -1,6 +1,6 @@ title: Potential Data Exfiltration Via Audio File id: e4f93c99-396f-47c8-bb0f-201b1fa69034 -status: experimental +status: test description: Detects potential exfiltration attempt via audio file using PowerShell references: - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index 8bd15a134..2d4a229c4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -3,7 +3,7 @@ id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab related: - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 type: similar -status: experimental +status: test description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index 5470e2010..3a102abf4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -3,7 +3,7 @@ id: 975b2262-9a49-439d-92a6-0709cccdf0b2 related: - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a type: similar -status: experimental +status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 1da9d4f78..e5656f1e9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -1,6 +1,6 @@ title: Malicious Nishang PowerShell Commandlets id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 -status: experimental +status: test description: Detects Commandlet names and arguments from the Nishang exploitation framework references: - https://github.com/samratashok/nishang diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index 1203f0ab5..2e09e11bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -3,7 +3,7 @@ id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 related: - id: 96cd126d-f970-49c4-848a-da3a09f55c55 type: derived -status: experimental +status: test description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation references: - Internal Research diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml index 4ec7187d4..cffcb7dfa 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -3,7 +3,7 @@ id: 96cd126d-f970-49c4-848a-da3a09f55c55 related: - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 type: derived -status: experimental +status: test description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts references: - https://github.com/1337Rin/Swag-PSO diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 77d721e97..0ac2eb869 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -3,7 +3,7 @@ id: 1139d2e2-84b1-4226-b445-354492eba8ba related: - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d type: derived -status: experimental +status: test description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index e8d5a41a7..12d6d2213 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -1,6 +1,6 @@ title: Powershell XML Execute Command id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b -status: experimental +status: test description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index 5cec62e5a..b1374edb8 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -1,6 +1,6 @@ title: Potential Svchost Memory Access id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde -status: experimental +status: test description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service. references: - https://github.com/hlldz/Invoke-Phant0m diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index 1053f50bb..d22f3cb67 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -1,6 +1,6 @@ title: New Generic Credentials Added Via Cmdkey.EXE id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 -status: experimental +status: test description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 87b40ce8d..d0dcf114c 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -1,6 +1,6 @@ title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE id: 07f8bdc2-c9b3-472a-9817-5a670b872f53 -status: experimental +status: test description: Detects usage of cmdkey to look for cached credentials on the system references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index b8a206282..3fec8ca31 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -3,7 +3,7 @@ id: e173ad47-4388-4012-ae62-bd13f71c18a8 related: - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 type: similar -status: experimental +status: test description: | Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter diff --git a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml index c5dc88924..1d197418c 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml @@ -1,6 +1,6 @@ title: DirLister Execution id: b4dc61f5-6cce-468e-a608-b48b469feaa2 -status: experimental +status: test description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index d3ed4711e..b31f55077 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,6 +1,6 @@ title: Potential Discovery Activity Via Dnscmd.EXE id: b6457d63-d2a2-4e29-859d-4e7affc153d1 -status: experimental +status: test description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index 319b155db..04ebdede8 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -1,6 +1,6 @@ title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE id: 01c42d3c-242d-4655-85b2-34f1739632f7 -status: experimental +status: test description: Detects usage of Dsacls to grant over permissive permissions references: - https://ss64.com/nt/dsacls.html diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index 884b3a8c8..216376d20 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -1,6 +1,6 @@ title: Potential Password Spraying Attempt Using Dsacls.EXE id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c -status: experimental +status: test description: Detects possible password spraying attempts using Dsacls references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 2c55ce3e6..dd1bd8a91 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -1,6 +1,6 @@ title: Fsutil Behavior Set SymlinkEvaluation id: c0b2768a-dd06-4671-8339-b16ca8d1f27f -status: experimental +status: test description: | A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt diff --git a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml index 3db20c367..e74fcc261 100644 --- a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml @@ -1,6 +1,6 @@ title: Suspicious Git Clone id: aef9d1f1-7396-4e92-a927-4567c7a495c1 -status: experimental +status: test description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml index 35ac828df..29ddf26bb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml @@ -3,7 +3,7 @@ id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 related: - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 type: similar -status: experimental +status: test description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml index 17dc63004..f9aed5927 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml @@ -3,7 +3,7 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 related: - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 type: similar -status: experimental +status: test description: Detects Cobalt Strike module/commands accidentally entered in CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index ee89630b6..a1a52c016 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -1,6 +1,6 @@ title: Suspicious Hacktool Execution - Imphash id: 24e3e58a-646b-4b50-adef-02ef935b9fc8 -status: experimental +status: test description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index e00829046..b7064edd9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -1,6 +1,6 @@ title: Suspicious Hacktool Execution - PE Metadata id: 37c1333a-a0db-48be-b64b-7393b2386e3b -status: experimental +status: test description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed references: - https://github.com/cube0x0 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index d51c41ec2..c4c806497 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -1,6 +1,6 @@ title: HackTool - HandleKatz LSASS Dumper Execution id: ca621ba5-54ab-4035-9942-d378e6fcde3c -status: experimental +status: test description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same references: - https://github.com/codewhitesec/HandleKatz diff --git a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml index 64cd45ece..d69f34f7f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml @@ -1,6 +1,6 @@ title: HackTool - Htran/NATBypass Execution id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e -status: experimental +status: test description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) references: - https://github.com/HiwinCN/HTran diff --git a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml index c2e1e91cc..a8fbcc375 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml @@ -1,6 +1,6 @@ title: HackTool - Inveigh Execution id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0 -status: experimental +status: test description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool references: - https://github.com/Kevin-Robertson/Inveigh diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml index 6746a5308..61164e308 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml @@ -1,6 +1,6 @@ title: HackTool - KrbRelay Execution id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 -status: experimental +status: test description: Detects the use of KrbRelay, a Kerberos relaying tool references: - https://github.com/cube0x0/KrbRelay diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 6f4e18c2c..9d9670d32 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -1,6 +1,6 @@ title: HackTool - KrbRelayUp Execution id: 12827a56-61a4-476a-a9cb-f3068f191073 -status: experimental +status: test description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced references: - https://github.com/Dec0ne/KrbRelayUp diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml index dd4760d86..b5a731874 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml @@ -1,6 +1,6 @@ title: HackTool - PowerTool Execution id: a34f79a3-8e5f-4cc3-b765-de00695452c2 -status: experimental +status: test description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml index 7826291f5..e5518ac0a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml @@ -1,6 +1,6 @@ title: HackTool - SafetyKatz Execution id: b1876533-4ed5-4a83-90f3-b8645840a413 -status: experimental +status: test description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name references: - https://github.com/GhostPack/SafetyKatz diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml index 3aaf738c7..3058094de 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -1,6 +1,6 @@ title: HackTool - SharPersist Execution id: 26488ad0-f9fd-4536-876f-52fea846a2e4 -status: experimental +status: test description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml index 74d932937..824ed63e4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml @@ -1,6 +1,6 @@ title: HackTool - SharpLdapWhoami Execution id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d -status: experimental +status: test description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller references: - https://github.com/bugch3ck/SharpLdapWhoami diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 278fcb649..33bc63019 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -1,6 +1,6 @@ title: HackTool - SysmonEOP Execution id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9 -status: experimental +status: test description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 references: - https://github.com/Wh04m1001/SysmonEoP diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 8158051e9..92411156e 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -1,6 +1,6 @@ title: Disable Windows IIS HTTP Logging id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e -status: experimental +status: test description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 7487035c8..24b8c18b1 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -1,6 +1,6 @@ title: Microsoft IIS Service Account Password Dumped id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701 -status: experimental +status: test description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index b1c60e9fc..d51a77ccf 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -1,6 +1,6 @@ title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08 -status: experimental +status: test description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. references: - https://twitter.com/malmoeb/status/1616702107242971144 diff --git a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml index 83caf9a7b..a5634bbe8 100644 --- a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Shells Spawn by Java Utility Keytool id: 90fb5e62-ca1f-4e22-b42e-cc521874c938 -status: experimental +status: test description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) references: - https://redcanary.com/blog/intelligence-insights-december-2021 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml index 8ac6873e3..b0e2c0d18 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml @@ -1,6 +1,6 @@ title: Lolbin Ssh.exe Use As Proxy id: 7d6d30b8-5b91-4b90-a891-46cccaf29598 -status: experimental +status: test description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/Binaries/Ssh/ diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index 5ce66281f..958be5ee4 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -1,6 +1,6 @@ title: Potential Process Injection Via Msra.EXE id: 744a188b-0415-4792-896f-11ddb0588dbc -status: experimental +status: test description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics references: - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index 96dfaa215..92a0f6ba0 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -1,6 +1,6 @@ title: New Remote Desktop Connection Initiated Via Mstsc.EXE id: 954f0af7-62dd-418f-b3df-a84bc2c7a774 -status: experimental +status: test description: | Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. diff --git a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml index 0d96a4105..ab92fb09f 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml @@ -5,7 +5,7 @@ related: type: similar - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 type: obsoletes -status: experimental +status: test description: Detects nltest commands that can be used for information discovery references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 5bb122233..28089bffb 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -7,7 +7,7 @@ related: type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 type: obsoletes -status: experimental +status: test description: Detects nltest commands that can be used for information discovery references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index 7c3c47414..d5de03284 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -1,6 +1,6 @@ title: Potential Arbitrary Code Execution Via Node.EXE id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd -status: experimental +status: test description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index da5f01b25..0de29ed4b 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -1,6 +1,6 @@ title: Suspicious Binary In User Directory Spawned From Office Application id: aa3a6f94-890e-4e22-b634-ffdfd54792cc -status: experimental +status: test description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign diff --git a/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml b/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml index 7f3dfeddd..c9afa8272 100644 --- a/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml @@ -1,6 +1,6 @@ title: Suspicious New Instance Of An Office COM Object id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28 -status: experimental +status: test description: | Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml index 5504ade3c..f73876bf2 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml @@ -3,7 +3,7 @@ id: d679950c-abb7-43a6-80fb-2a480c4fc450 related: - id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 type: similar -status: experimental +status: test description: Detect use of PDQ Deploy remote admin tool references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md diff --git a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index a0fe35c9f..5cbfd28a7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 74176142-4684-4d8a-8b0a-713257e7df8e type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 6c0c14778..01cbda778 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -1,6 +1,6 @@ title: Powershell Base64 Encoded MpPreference Cmdlet id: c6fb44c6-71f5-49e6-9462-1425d328aee3 -status: experimental +status: test description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 21f19606f..45295f7da 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -3,7 +3,7 @@ id: 1816994b-42e1-4fb1-afd2-134d88184f71 related: - id: 47688f1b-9f51-4656-b013-3cc49a166a36 type: obsoletes -status: experimental +status: test description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index dd3d5918a..402733ae5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -1,6 +1,6 @@ title: Root Certificate Installed From Susp Locations id: 5f6a601c-2ecb-498b-9c33-660362323afa -status: experimental +status: test description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml index b7d5035eb..329fecd61 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml @@ -3,7 +3,7 @@ id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 related: - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab type: similar -status: experimental +status: test description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 7ec726db5..8525e4207 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -3,7 +3,7 @@ id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a related: - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 type: similar -status: experimental +status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package diff --git a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml index 0564835a2..5bed99cfb 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml @@ -1,6 +1,6 @@ title: PUA - DefenderCheck Execution id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7 -status: experimental +status: test description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. references: - https://github.com/matterpreter/DefenderCheck diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index 9426e44bc..9b809012f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -1,6 +1,6 @@ title: PUA - Fast Reverse Proxy (FRP) Execution id: 32410e29-5f94-4568-b6a3-d91a8adad863 -status: experimental +status: test description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. references: - https://asec.ahnlab.com/en/38156/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index 1e2bad0cc..1a5550ff4 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -1,6 +1,6 @@ title: PUA - NPS Tunneling Tool Execution id: 68d37776-61db-42f5-bf54-27e87072d17e -status: experimental +status: test description: Detects the use of NPS, a port forwarding and intranet penetration proxy server references: - https://github.com/ehang-io/nps diff --git a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml index 6432783ae..84559cbd2 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml @@ -1,6 +1,6 @@ title: PUA - Seatbelt Execution id: 38646daa-e78f-4ace-9de0-55547b2d30da -status: experimental +status: test description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters references: - https://github.com/GhostPack/Seatbelt diff --git a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml index 6b8b2b605..e7928dd1f 100644 --- a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml @@ -1,6 +1,6 @@ title: Query Usage To Exfil Data id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2 -status: experimental +status: test description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index fc1c4ec81..8bbfb03d2 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE id: 48917adc-a28e-4f5d-b729-11e75da8941f -status: experimental +status: test description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index 6e927e0a8..2b45c02e9 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -3,7 +3,7 @@ id: fc0e89b5-adb0-43c1-b749-c12a10ec37de related: - id: d7662ff6-9e97-4596-a61d-9839e32dee8d type: similar -status: experimental +status: test description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index 7e506c4ba..6da47889b 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -1,6 +1,6 @@ title: Service Registry Key Deleted Via Reg.EXE id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 -status: experimental +status: test description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index d095234b0..38aa56f37 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -3,7 +3,7 @@ id: 28ac00d6-22d9-4a3c-927f-bbd770104573 related: - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry type: similar -status: experimental +status: test description: | Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. diff --git a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml index 59033fddc..9f3ffc22d 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -3,7 +3,7 @@ id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 related: - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 type: similar -status: experimental +status: test description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade diff --git a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index 2e0c2c18d..e2ae3a664 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -7,7 +7,7 @@ related: type: similar - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock type: similar -status: experimental +status: test description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index cdfc2195c..a0e5762c2 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -1,6 +1,6 @@ title: Renamed BrowserCore.EXE Execution id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559 -status: experimental +status: test description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) references: - https://twitter.com/mariuszbit/status/1531631015139102720 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml index 287e327c4..c4c13d98d 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -1,6 +1,6 @@ title: Renamed Mavinject.EXE Execution id: e6474a1b-5390-49cd-ab41-8d88655f7394 -status: experimental +status: test description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index 20d1548aa..6a5c90b28 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -1,6 +1,6 @@ title: Renamed Msdt.EXE Execution id: bd1c6866-65fc-44b2-be51-5588fcff82b9 -status: experimental +status: test description: Detects the execution of a renamed "Msdt.exe" binary references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 37c38252a..48ae4e590 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -1,6 +1,6 @@ title: Renamed NetSupport RAT Execution id: 0afbd410-de03-4078-8491-f132303cb67d -status: experimental +status: test description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index c2d79235f..6a4d5a33e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -1,6 +1,6 @@ title: Renamed Plink Execution id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43 -status: experimental +status: test description: Detects the execution of a renamed version of the Plink binary references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index a485dd8ba..6667dda49 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -3,7 +3,7 @@ id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed related: - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e type: derived -status: experimental +status: test description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index 0f3867171..f1e541c2e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -1,6 +1,6 @@ title: Renamed Remote Utilities RAT (RURAT) Execution id: 9ef27c24-4903-4192-881a-3adde7ff92a5 -status: experimental +status: test description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml index 121ea63fc..ff78489fa 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml @@ -1,6 +1,6 @@ title: Renamed Sysinternals Sdelete Execution id: c1d867fe-8d95-4487-aab4-e53f2d339f90 -status: experimental +status: test description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index b18156c9e..c59802333 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -1,6 +1,6 @@ title: Renamed Vmnat.exe Execution id: 7b4f794b-590a-4ad4-ba18-7964a2832205 -status: experimental +status: test description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading references: - https://twitter.com/malmoeb/status/1525901219247845376 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml index f7f53f8e5..827b016b8 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml @@ -1,6 +1,6 @@ title: Suspicious Rundll32 Script in CommandLine id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7 -status: experimental +status: test description: Detects suspicious process related to rundll32 based on arguments references: - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index c1eae40a6..b5e40bb6f 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -1,6 +1,6 @@ title: Uncommon One Time Only Scheduled Task At 00:00 id: 970823b7-273b-460a-8afc-3a6811998529 -status: experimental +status: test description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 9c5e2ca66..14869fd6d 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -3,7 +3,7 @@ id: b66474aa-bd92-4333-a16c-298155b120df related: - id: 6e8811ee-90ba-441e-8486-5653e68b2299 type: similar -status: experimental +status: test description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index bbb7f74cb..e9c72d990 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -1,6 +1,6 @@ title: SQLite Chromium Profile Data DB Access id: 24c77512-782b-448a-8950-eddb0785fc71 -status: experimental +status: test description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index 012a329df..9192cf12f 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -1,6 +1,6 @@ title: SQLite Firefox Profile Data DB Access id: 4833155a-4053-4c9c-a997-777fcea0baa7 -status: experimental +status: test description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index d2ab3821e..aede5ee40 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -3,7 +3,7 @@ id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d related: - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe type: similar -status: experimental +status: test description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index 447bb5775..b76a30ae3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -1,6 +1,6 @@ title: Execution from Suspicious Folder id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 -status: experimental +status: test description: Detects a suspicious execution from an uncommon folder references: - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml index 3c063d250..c64730414 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -3,7 +3,7 @@ id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 related: - id: 03d83090-8cba-44a0-b02f-0b756a050306 type: derived -status: experimental +status: test description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec references: - https://twitter.com/m417z/status/1566674631788007425 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml index b2352c405..930c35e92 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -1,6 +1,6 @@ title: Suspicious Use of PsLogList id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc -status: experimental +status: test description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs references: - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ diff --git a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index ea7421f86..a5f2f3b61 100644 --- a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -3,7 +3,7 @@ id: a383dec4-deec-4e6e-913b-ed9249670848 related: - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 type: similar -status: experimental +status: test description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - Internal Research diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 11fdecf90..a30a328ef 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,6 +1,6 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -status: experimental +status: test description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index aba450b50..bc9f4cd92 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -1,6 +1,6 @@ title: Potential PendingFileRenameOperations Tamper id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a -status: experimental +status: test description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot. references: - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6