From b00047a4e88977dcb8662dcb1b0c206d55895cb0 Mon Sep 17 00:00:00 2001 From: aw350m3 Date: Thu, 3 Sep 2020 14:16:47 +0000 Subject: [PATCH] att&ck tags review: application, apt, cloud, generic, proxy --- rules/application/app_python_sql_exceptions.yml | 4 ++++ rules/application/app_sqlinjection_errors.yml | 4 ++++ .../appframework_django_exceptions.yml | 4 ++++ .../appframework_ruby_on_rails_exceptions.yml | 4 ++++ .../appframework_spring_exceptions.yml | 4 ++++ rules/apt/apt_silence_downloader_v3.yml | 9 ++++++++- rules/apt/apt_silence_eda.yml | 11 ++++++++++- rules/cloud/aws_cloudtrail_disable_logging.yml | 2 +- rules/cloud/aws_config_disable_recording.yml | 2 +- rules/cloud/aws_ec2_download_userdata.yml | 2 ++ rules/cloud/aws_ec2_startup_script_change.yml | 10 ++++++++-- rules/cloud/aws_guardduty_disruption.yml | 2 +- rules/cloud/aws_iam_backdoor_users_keys.yml | 2 ++ rules/cloud/aws_rds_change_master_password.yml | 2 ++ rules/cloud/aws_rds_public_db_restore.yml | 2 ++ rules/cloud/aws_root_account_usage.yml | 9 ++++++--- rules/generic/generic_brute_force.yml | 2 ++ rules/proxy/proxy_apt40.yml | 8 ++++++++ rules/proxy/proxy_chafer_malware.yml | 4 ++++ rules/proxy/proxy_cobalt_amazon.yml | 6 +++++- rules/proxy/proxy_cobalt_ocsp.yml | 6 +++++- rules/proxy/proxy_cobalt_onedrive.yml | 6 +++++- rules/proxy/proxy_download_susp_dyndns.yml | 6 ++++++ .../proxy/proxy_download_susp_tlds_blacklist.yml | 9 ++++++++- .../proxy/proxy_download_susp_tlds_whitelist.yml | 8 ++++++++ rules/proxy/proxy_downloadcradle_webdav.yml | 5 +++++ rules/proxy/proxy_empire_ua_uri_combos.yml | 6 ++++++ rules/proxy/proxy_empty_ua.yml | 5 +++++ rules/proxy/proxy_ios_implant.yml | 11 +++++++++++ rules/proxy/proxy_powershell_ua.yml | 5 +++++ rules/proxy/proxy_pwndrop.yml | 8 ++++++++ rules/proxy/proxy_raw_paste_service_access.yml | 10 ++++++++-- rules/proxy/proxy_susp_flash_download_loc.yml | 9 +++++++++ rules/proxy/proxy_telegram_api.yml | 8 ++++++++ rules/proxy/proxy_turla_comrat.yml | 5 +++++ rules/proxy/proxy_ua_apt.yml | 4 ++++ rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 8 ++++++++ rules/proxy/proxy_ua_cryptominer.yml | 4 ++++ rules/proxy/proxy_ua_frameworks.yml | 4 ++++ rules/proxy/proxy_ua_hacktool.yml | 6 ++++++ rules/proxy/proxy_ua_malware.yml | 4 ++++ rules/proxy/proxy_ua_suspicious.yml | 4 ++++ rules/proxy/proxy_ursnif_malware.yml | 16 ++++++++++++++++ 43 files changed, 234 insertions(+), 16 deletions(-) diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/app_python_sql_exceptions.yml index 85eeb7429..62868b5be 100644 --- a/rules/application/app_python_sql_exceptions.yml +++ b/rules/application/app_python_sql_exceptions.yml @@ -3,6 +3,10 @@ id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9 description: Generic rule for SQL exceptions in Python according to PEP 249 author: Thomas Patzke date: 2017/08/12 +modified: 2020/09/01 +tags: + - attack.initial_access + - attack.t1190 references: - https://www.python.org/dev/peps/pep-0249/#exceptions logsource: diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index 7421bc15d..1f238c695 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -4,6 +4,10 @@ status: experimental description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich date: 2017/11/27 +modified: 2020/09/01 +tags: + - attack.initial_access + - attack.t1190 references: - http://www.sqlinjection.net/errors logsource: diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/appframework_django_exceptions.yml index d01324f26..6ffdf64f3 100644 --- a/rules/application/appframework_django_exceptions.yml +++ b/rules/application/appframework_django_exceptions.yml @@ -3,6 +3,10 @@ id: fd435618-981e-4a7c-81f8-f78ce480d616 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts author: Thomas Patzke date: 2017/08/05 +modified: 2020/09/01 +tags: + - attack.initial_access + - attack.t1190 references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/appframework_ruby_on_rails_exceptions.yml index 6002ff432..fcd8876cd 100644 --- a/rules/application/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/appframework_ruby_on_rails_exceptions.yml @@ -3,6 +3,10 @@ id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts author: Thomas Patzke date: 2017/08/06 +modified: 2020/09/01 +tags: + - attack.initial_access + - attack.t1190 references: - http://edgeguides.rubyonrails.org/security.html - http://guides.rubyonrails.org/action_controller_overview.html diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/appframework_spring_exceptions.yml index e051726f3..c827e640c 100644 --- a/rules/application/appframework_spring_exceptions.yml +++ b/rules/application/appframework_spring_exceptions.yml @@ -3,6 +3,10 @@ id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts author: Thomas Patzke date: 2017/08/06 +modified: 2020/09/01 +tags: + - attack.initial_access + - attack.t1190 references: - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html logsource: diff --git a/rules/apt/apt_silence_downloader_v3.yml b/rules/apt/apt_silence_downloader_v3.yml index e46b0c220..9b729ac57 100644 --- a/rules/apt/apt_silence_downloader_v3.yml +++ b/rules/apt/apt_silence_downloader_v3.yml @@ -4,9 +4,16 @@ status: experimental description: Detects Silence downloader. These commands are hardcoded into the binary. author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community date: 2019/11/01 -modified: 2019/11/22 +modified: 2020/09/01 tags: - attack.persistence + - attack.t1547.001 + - attack.t1060 # an old one + - attack.discovery + - attack.t1057 + - attack.t1082 + - attack.t1016 + - attack.t1033 - attack.g0091 logsource: category: process_creation diff --git a/rules/apt/apt_silence_eda.yml b/rules/apt/apt_silence_eda.yml index f27167fd0..c027197d9 100644 --- a/rules/apt/apt_silence_eda.yml +++ b/rules/apt/apt_silence_eda.yml @@ -4,8 +4,17 @@ status: experimental description: Detects Silence empireDNSagent author: Alina Stepchenkova, Group-IB, oscd.community date: 2019/11/01 -modified: 2019/11/20 +modified: 2020/09/01 tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.command_and_control + - attack.t1071.004 + - attack.t1071 # an old one + - attack.t1572 + - attack.impact + - attack.t1529 - attack.g0091 - attack.s0363 logsource: diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml index 09f180ff8..75d6fd3ab 100644 --- a/rules/cloud/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws_cloudtrail_disable_logging.yml @@ -22,5 +22,5 @@ falsepositives: - Valid change in a Trail tags: - attack.defense_evasion - - attack.t1089 - attack.t1562.001 + - attack.t1089 # an old one diff --git a/rules/cloud/aws_config_disable_recording.yml b/rules/cloud/aws_config_disable_recording.yml index 85bc64886..00112ffcd 100644 --- a/rules/cloud/aws_config_disable_recording.yml +++ b/rules/cloud/aws_config_disable_recording.yml @@ -19,5 +19,5 @@ falsepositives: - Valid change in AWS Config Service tags: - attack.defense_evasion - - attack.t1089 - attack.t1562.001 + - attack.t1089 # an old one diff --git a/rules/cloud/aws_ec2_download_userdata.yml b/rules/cloud/aws_ec2_download_userdata.yml index 04219094b..65ce7d1b2 100644 --- a/rules/cloud/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws_ec2_download_userdata.yml @@ -3,6 +3,7 @@ id: 26ff4080-194e-47e7-9889-ef7602efed0c status: experimental author: faloker date: 2020/02/11 +modified: 2020/09/01 description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24 @@ -21,4 +22,5 @@ level: medium falsepositives: - Assets management software like device42 tags: + - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws_ec2_startup_script_change.yml index 7edcff0bc..8e167c93c 100644 --- a/rules/cloud/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws_ec2_startup_script_change.yml @@ -3,6 +3,7 @@ id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df status: experimental author: faloker date: 2020/02/12 +modified: 2020/09/01 description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9 @@ -20,5 +21,10 @@ level: high falsepositives: - Valid changes to the startup script tags: - - attack.t1064 - - attack.t1059 + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.t1059.003 + - attack.t1059.004 + - attack.t1059 # an old one + - attack.t1064 # an old one diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws_guardduty_disruption.yml index 53da70c91..90058c9e3 100644 --- a/rules/cloud/aws_guardduty_disruption.yml +++ b/rules/cloud/aws_guardduty_disruption.yml @@ -19,5 +19,5 @@ falsepositives: - Valid change in the GuardDuty (e.g. to ignore internal scanners) tags: - attack.defense_evasion - - attack.t1089 - attack.t1562.001 + - attack.t1089 # an old one diff --git a/rules/cloud/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws_iam_backdoor_users_keys.yml index b25fc462e..7693948ed 100644 --- a/rules/cloud/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws_iam_backdoor_users_keys.yml @@ -3,6 +3,7 @@ id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2 status: experimental author: faloker date: 2020/02/12 +modified: 2020/09/01 description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6 @@ -26,4 +27,5 @@ falsepositives: - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming) - AWS API keys legitimate exchange workflows tags: + - attack.persistence - attack.t1098 diff --git a/rules/cloud/aws_rds_change_master_password.yml b/rules/cloud/aws_rds_change_master_password.yml index babb5fc4e..429b529b9 100644 --- a/rules/cloud/aws_rds_change_master_password.yml +++ b/rules/cloud/aws_rds_change_master_password.yml @@ -3,6 +3,7 @@ id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2 status: experimental author: faloker date: 2020/02/12 +modified: 2020/09/01 description: Detects the change of database master password. It may be a part of data exfiltration. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 @@ -20,4 +21,5 @@ level: medium falsepositives: - Benign changes to a db instance tags: + - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws_rds_public_db_restore.yml b/rules/cloud/aws_rds_public_db_restore.yml index a57c76d33..9e1591eec 100644 --- a/rules/cloud/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws_rds_public_db_restore.yml @@ -3,6 +3,7 @@ id: c3f265c7-ff03-4056-8ab2-d486227b4599 status: experimental author: faloker date: 2020/02/12 +modified: 2020/09/01 description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 @@ -20,4 +21,5 @@ level: high falsepositives: - unknown tags: + - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws_root_account_usage.yml b/rules/cloud/aws_root_account_usage.yml index d29219cae..6374bd53f 100644 --- a/rules/cloud/aws_root_account_usage.yml +++ b/rules/cloud/aws_root_account_usage.yml @@ -3,14 +3,15 @@ id: 8ad1600d-e9dc-4251-b0ee-a65268f29add status: experimental author: vitaliy0x1 date: 2020/01/21 +modified: 2020/09/01 description: Detects AWS root account usage references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html logsource: service: cloudtrail detection: - selection_usertype: - - userIdentity.type: Root + selection_usertype: + - userIdentity.type: Root selection_eventtype: - eventType: AwsServiceEvent condition: selection_usertype AND NOT selection_eventtype @@ -18,4 +19,6 @@ level: medium falsepositives: - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html tags: - - attack.t1078 + - attack.privilege_escalation + - attack.t1078.004 + - attack.t1078 # an old one diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml index 13c1d70d2..c02246878 100644 --- a/rules/generic/generic_brute_force.yml +++ b/rules/generic/generic_brute_force.yml @@ -2,9 +2,11 @@ title: Brute Force id: 53c7cca0-2901-493a-95db-d00d6fcf0a37 description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity tags: + - attack.credential_access - attack.t1110 author: Aleksandr Akhremchik, oscd.community date: 2019/10/25 +modified: 2020/09/01 status: experimental logsource: category: authentication diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index e8aa43cbf..9469b1926 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -6,6 +6,14 @@ references: - Internal research from Florian Roth author: Thomas Patzke date: 2019/11/12 +modified: 2020/09/02 +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.exfiltration + - attack.t1567.002 + - attack.t1048 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 062f9013e..1e7639b35 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -6,6 +6,10 @@ references: - https://securelist.com/chafer-used-remexi-malware/89538/ author: Florian Roth date: 2019/01/31 +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 84afdfacb..f7cffc200 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -7,8 +7,12 @@ references: - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 author: Markus Neis date: 2019/11/12 +modified: 2020/09/02 tags: - - attack.t1102 + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index 41822c246..92f89f26f 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -6,8 +6,12 @@ references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile author: Markus Neis date: 2019/11/12 +modified: 2020/09/02 tags: - - attack.t1102 + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 175ecf6ce..72ad73998 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -6,8 +6,12 @@ references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile author: Markus Neis date: 2019/11/12 +modified: 2020/09/02 tags: - - attack.t1102 + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index 56ea7ac4f..debdcd937 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -6,6 +6,12 @@ references: - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats author: Florian Roth date: 2017/11/08 +modified: 2020/09/03 +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1105 + - attack.t1568 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index d7ec3cfee..45b0a06a7 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -9,7 +9,14 @@ references: - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ author: Florian Roth date: 2017/11/07 -modified: 2018/06/13 +modified: 2020/09/03 +tags: + - attack.initial_access + - attack.t1566 + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index 81a155a22..01611a14e 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -4,6 +4,14 @@ status: experimental description: Detects executable downloads from suspicious remote systems author: Florian Roth date: 2017/03/13 +modified: 2020/09/03 +tags: + - attack.initial_access + - attack.t1566 + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index 6d0c562d7..d6936e18a 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -6,6 +6,11 @@ references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth date: 2018/04/06 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml index 7c3153a6e..6af04128e 100644 --- a/rules/proxy/proxy_empire_ua_uri_combos.yml +++ b/rules/proxy/proxy_empire_ua_uri_combos.yml @@ -6,6 +6,12 @@ references: - https://github.com/BC-SECURITY/Empire author: Florian Roth date: 2020/07/13 +modified: 2020/09/03 +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index e6dfc2e88..e5b419edd 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -6,6 +6,11 @@ references: - https://twitter.com/Carlos_Perez/status/883455096645931008 author: Florian Roth date: 2017/07/08 +modified: 2020/09/03 +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index ce45ca853..d35b62ccd 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -7,6 +7,17 @@ references: - https://twitter.com/craiu/status/1167358457344925696 author: Florian Roth date: 2019/08/30 +modified: 2020/09/03 +tags: + - attack.execution + - attack.t1203 + - attack.collection + - attack.t1005 + - attack.t1119 + - attack.credential_access + - attack.t1528 + - attack.t1552.001 + - attack.t1081 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index 4639899b4..7db71c1a5 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -6,6 +6,11 @@ references: - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest author: Florian Roth date: 2017/03/13 +modified: 2020/09/03 +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml index 9fe81dc17..059392b63 100644 --- a/rules/proxy/proxy_pwndrop.yml +++ b/rules/proxy/proxy_pwndrop.yml @@ -6,6 +6,14 @@ references: - https://breakdev.org/pwndrop/ author: Florian Roth date: 2020/04/15 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.t1102.001 + - attack.t1102.003 + - attack.t1102 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index eba8c9a12..cc3ee001c 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -6,9 +6,15 @@ references: - https://www.virustotal.com/gui/domain/paste.ee/relations author: Florian Roth date: 2019/12/05 +modified: 2020/09/03 tags: - - attack.t1102 - - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.t1102.001 + - attack.t1102.003 + - attack.defense_evasion + - attack.t1102 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 966ac2244..a9a2756b1 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -6,6 +6,15 @@ references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb author: Florian Roth date: 2017/10/25 +tags: + - attack.initial_access + - attack.t1189 + - attack.execution + - attack.t1204.002 + - attack.t1204 # an old one + - attack.defense_evasion + - attack.t1036.005 + - attack.t1036 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index 3c4cdac0b..ff9258630 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -8,6 +8,14 @@ references: - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ author: Florian Roth date: 2018/06/05 +modified: 2020/09/03 +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.t1102.002 + - attack.t1102 # an old one logsource: category: proxy detection: diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index 3a743adb3..5377597db 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -6,7 +6,12 @@ references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: Florian Roth date: 2020/05/26 +modified: 2020/09/03 tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one - attack.g0010 logsource: category: proxy diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 0baf02b23..84e78efd9 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -6,6 +6,10 @@ references: - Internal Research author: Florian Roth, Markus Neis date: 2019/11/12 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index c0ed66830..8140806b1 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -4,6 +4,14 @@ status: experimental description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth date: 2019/03/07 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.defense_evasion + - attack.persistence + - attack.t1197 + - attack.s0190 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml index 4a8f12cce..a35e323e7 100644 --- a/rules/proxy/proxy_ua_cryptominer.yml +++ b/rules/proxy/proxy_ua_cryptominer.yml @@ -7,6 +7,10 @@ references: - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h author: Florian Roth date: 2019/10/21 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index e32ff46ae..39f90e732 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -6,6 +6,10 @@ references: - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ author: Florian Roth date: 2017/07/08 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index 97d5858af..2a6e5fd1e 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -7,6 +7,12 @@ references: - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules author: Florian Roth date: 2017/07/08 +modified: 2020/09/03 +tags: + - attack.initial_access + - attack.t1190 + - attack.credential_access + - attack.t1110 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index bdfa6f6ac..9621726bd 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -10,6 +10,10 @@ references: - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents author: Florian Roth date: 2017/07/08 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 72e7fb39f..52e828330 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -6,6 +6,10 @@ references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb author: Florian Roth date: 2017/07/08 +modified: 2020/09/03 +tags: + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml index 5099db0ed..bed1e8524 100644 --- a/rules/proxy/proxy_ursnif_malware.yml +++ b/rules/proxy/proxy_ursnif_malware.yml @@ -4,6 +4,16 @@ status: stable description: Detects download of Ursnif malware done by dropper documents. author: Thomas Patzke date: 2019/12/19 +modified: 2020/09/03 +tags: + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one + - attack.execution + - attack.1204.002 + - attack.1204 # an old one + - attack.command_and_control + - attack.t1071.001 logsource: category: proxy detection: @@ -27,6 +37,12 @@ description: Detects Ursnif C2 traffic. references: - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html author: Thomas Patzke +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.t1132 + - attack.defense_evasion + - attack.t1027 logsource: category: proxy detection: