From af8bf06b3015f031df6f3cd28d5c8e9aa91fc709 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 8 Sep 2021 20:14:49 +0200
Subject: [PATCH] add missing tags

---
 .../windows/process_creation/process_mailboxexport_share.yml  | 3 +++
 rules/windows/process_creation/win_apt_hafnium.yml            | 4 ++++
 rules/windows/process_creation/win_malware_conti_7zip.yml     | 3 +++
 rules/windows/process_creation/win_malware_formbook.yml       | 3 +++
 rules/windows/process_creation/win_reg_add_run_key.yml        | 3 +++
 .../windows/process_creation/win_susp_psexex_paexec_flags.yml | 3 +++
 rules/windows/process_creation/win_susp_renamed_debugview.yml | 3 +++
 rules/windows/process_creation/win_susp_renamed_paexec.yml    | 3 +++
 .../windows/process_creation/win_susp_rundll32_no_params.yml  | 3 +++
 rules/windows/process_creation/win_susp_service_dir.yml       | 3 +++
 rules/windows/process_creation/win_susp_splwow64.yml          | 3 +++
 rules/windows/process_creation/win_susp_vbscript_unc2452.yml  | 4 ++++
 12 files changed, 38 insertions(+)

diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml
index da6aba619..aaa722fa5 100644
--- a/rules/windows/process_creation/process_mailboxexport_share.yml
+++ b/rules/windows/process_creation/process_mailboxexport_share.yml
@@ -24,3 +24,6 @@ level: critical
 fields:
     - CommandLine
     - ParentCommandLine
+tags:
+    attack.collection  
+    attack.t1114 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml
index 14772b4b5..30c41f2ba 100644
--- a/rules/windows/process_creation/win_apt_hafnium.yml
+++ b/rules/windows/process_creation/win_apt_hafnium.yml
@@ -70,3 +70,7 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.persistence 
+    - attack.t1546
+    - attack.t1053 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_malware_conti_7zip.yml b/rules/windows/process_creation/win_malware_conti_7zip.yml
index 15198fae6..aff67440f 100644
--- a/rules/windows/process_creation/win_malware_conti_7zip.yml
+++ b/rules/windows/process_creation/win_malware_conti_7zip.yml
@@ -19,3 +19,6 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+   - attack.collection  
+   - attack.t1560
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml
index d30851ea9..fd1207cad 100644
--- a/rules/windows/process_creation/win_malware_formbook.yml
+++ b/rules/windows/process_creation/win_malware_formbook.yml
@@ -49,3 +49,6 @@ fields:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.develop_capabilities
+    - attack.t1587.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_reg_add_run_key.yml b/rules/windows/process_creation/win_reg_add_run_key.yml
index 0cd6b8545..ef9ededa7 100644
--- a/rules/windows/process_creation/win_reg_add_run_key.yml
+++ b/rules/windows/process_creation/win_reg_add_run_key.yml
@@ -20,3 +20,6 @@ detection:
 falsepositives:
     - Unknown
 level: medium
+tags:
+    - attack.persistence
+    - attack.t1547.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
index 404f2d7a3..51926aa0f 100644
--- a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
+++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
@@ -32,3 +32,6 @@ falsepositives:
     - Weird admins that rename their tools
     - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing 
 level: high
+tags:
+    - attack.develop_capabilities
+    - attack.t1587.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml
index f421c1cd6..54c431bb0 100644
--- a/rules/windows/process_creation/win_susp_renamed_debugview.yml
+++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml
@@ -21,3 +21,6 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.lateral_movement
+    - attack.discovery
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml
index 7c51c620a..06c4680f6 100644
--- a/rules/windows/process_creation/win_susp_renamed_paexec.yml
+++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml
@@ -24,3 +24,6 @@ falsepositives:
     - Weird admins that rename their tools
     - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing 
 level: high
+tags:
+    - attack.defense_evasion 
+    - attack.t1202 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
index b45e3b4e0..b1a6486ae 100644
--- a/rules/windows/process_creation/win_susp_rundll32_no_params.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
@@ -25,3 +25,6 @@ fields:
 falsepositives:
     - Possible but rare
 level: high
+tags:
+    - attack.defense_evasion 
+    - attack.t1202 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_service_dir.yml b/rules/windows/process_creation/win_susp_service_dir.yml
index bc04c1e4b..f435334e9 100644
--- a/rules/windows/process_creation/win_susp_service_dir.yml
+++ b/rules/windows/process_creation/win_susp_service_dir.yml
@@ -30,3 +30,6 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion 
+    - attack.t1202 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml
index 38c4a4da3..d18e5e6a8 100644
--- a/rules/windows/process_creation/win_susp_splwow64.yml
+++ b/rules/windows/process_creation/win_susp_splwow64.yml
@@ -18,3 +18,6 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion 
+    - attack.t1202 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml
index d224ddbf9..9e67d2a78 100644
--- a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml
+++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml
@@ -24,3 +24,7 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+tags:
+    - attack.persistence
+    - attack.t1547.001
\ No newline at end of file