diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml index b97a2ad42..53a1cc506 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml @@ -24,7 +24,7 @@ detection: ImagePath|endswitch: 'readtoend' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml index 89530befa..6d6b0e27d 100644 --- a/rules-unsupported/sysmon_process_reimaging.yml +++ b/rules-unsupported/sysmon_process_reimaging.yml @@ -22,7 +22,7 @@ modified: 2021/12/02 detection: condition: all of selection* falsepositives: - - unknown + - Unknown level: high --- logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 74039ee14..66ec17a1d 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -30,5 +30,5 @@ detection: - 1 condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 4ee610ce7..9bece1cfc 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -27,5 +27,5 @@ detection: - 1 condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index e6cf10772..f2b230198 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -38,5 +38,5 @@ detection: - 15 condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 67ed17d74..8df44f543 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -33,5 +33,5 @@ detection: - 15 condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 0e0151b04..45f389dcd 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -30,5 +30,5 @@ detection: - 1 condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index aa28a4bc5..1ce665d32 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -26,5 +26,5 @@ detection: - 1 condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index 0cbbce502..fac7b591d 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -15,7 +15,7 @@ detection: eventName: DeleteFileSystem condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index 86583bdf8..59b3e7304 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -15,7 +15,7 @@ detection: eventName: DeleteMountTarget condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index b3bf32e71..dbc413919 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -17,7 +17,7 @@ detection: eventName: RestoreDBInstanceFromDBSnapshot condition: selection_source falsepositives: - - unknown + - Unknown level: high tags: - attack.exfiltration diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index fa9c67ce3..c224c84d9 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -79,7 +79,7 @@ detection: - 87106 condition: selection falsepositives: - - unknown + - Unknown level: medium # tags: # - CSC4 diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/compliance/firewall_cleartext_protocols.yml index a0916b7c0..1a1f3d7e9 100644 --- a/rules/compliance/firewall_cleartext_protocols.yml +++ b/rules/compliance/firewall_cleartext_protocols.yml @@ -38,7 +38,7 @@ detection: - 2 condition: selection1 and selection2 falsepositives: - - unknown + - Unknown level: low # tags: # - CSC4 diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index 68fc146fd..703ccfdb6 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -31,7 +31,7 @@ detection: - 634 condition: selection falsepositives: - - unknown + - Unknown level: low # tags: # - CSC4 diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml index 455d225c3..4bf1b1210 100644 --- a/rules/compliance/netflow_cleartext_protocols.yml +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -75,5 +75,5 @@ detection: - 5904 condition: selection falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 0cb5033c4..50e682026 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -19,7 +19,7 @@ detection: - 4800 condition: selection falsepositives: - - unknown + - Unknown level: low # tags: # - CSC16 diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index fd3531e09..1c3b6cbab 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -24,5 +24,5 @@ tags: - attack.privilege_escalation - attack.t1068 falsepositives: - - unknown + - Unknown level: high diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index ac1f505b9..cb04ce559 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -20,7 +20,7 @@ detection: - c-uri|endswith: '.exe' condition: selection_webdav and selection_executable falsepositives: - - unknown + - Unknown level: medium tags: - attack.command_and_control diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml index bb86f47a2..ed3a28834 100644 --- a/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -21,7 +21,7 @@ detection: - 10.0.0.0/8 condition: selection and not filter falsepositives: - - unknown + - Unknown level: low tags: - attack.exfiltration diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 952010ffb..e0e7ef851 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -17,7 +17,7 @@ detection: #Accesses: '*WriteData*' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/web/web_source_code_enumeration.yml b/rules/web/web_source_code_enumeration.yml index 84819110c..51e3015bd 100644 --- a/rules/web/web_source_code_enumeration.yml +++ b/rules/web/web_source_code_enumeration.yml @@ -20,7 +20,7 @@ fields: - url - response falsepositives: - - unknown + - Unknown level: medium tags: - attack.discovery diff --git a/rules/windows/builtin/dns_server/win_apt_gallium.yml b/rules/windows/builtin/dns_server/win_apt_gallium.yml index 810af5f56..9e3ff3d54 100644 --- a/rules/windows/builtin/dns_server/win_apt_gallium.yml +++ b/rules/windows/builtin/dns_server/win_apt_gallium.yml @@ -31,5 +31,5 @@ detection: - 'cvdfhjh1231.ddns.net' condition: c2_selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index d9c8fcfed..663155d08 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -16,7 +16,7 @@ detection: - ' -Confirm "False"' condition: all of command falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml index 252c8334c..a17fd4130 100644 --- a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml @@ -22,7 +22,7 @@ detection: FilePath|contains: 'immersivecontrolpanel' condition: selection and not filter falsepositives: - - unknown + - Unknown fields: - ParentProcess - CommandLine diff --git a/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml index 2ea2e8cd4..223390846 100644 --- a/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml +++ b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml @@ -37,7 +37,7 @@ detection: - '.inf' condition: all of selection_* falsepositives: - - unknown + - Unknown fields: - ParentProcess - CommandLine diff --git a/rules/windows/builtin/security/win_etw_modification.yml b/rules/windows/builtin/security/win_etw_modification.yml index aaa84638e..d4135914f 100644 --- a/rules/windows/builtin/security/win_etw_modification.yml +++ b/rules/windows/builtin/security/win_etw_modification.yml @@ -26,7 +26,7 @@ detection: NewValue: '0' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/builtin/security/win_hidden_user_creation.yml b/rules/windows/builtin/security/win_hidden_user_creation.yml index 87c55ef85..f85515fad 100644 --- a/rules/windows/builtin/security/win_hidden_user_creation.yml +++ b/rules/windows/builtin/security/win_hidden_user_creation.yml @@ -21,5 +21,5 @@ fields: - EventCode - AccountName falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml index f3ec0d146..cb53ad051 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml @@ -31,5 +31,5 @@ detection: - 'system.io.streamreader' condition: all of selection* falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index 5f127ce93..6b13d185b 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -34,5 +34,5 @@ detection: - '::1' condition: selection and ( sourceRDP or destinationRDP ) falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml index fb811ece0..3b2c04657 100644 --- a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml @@ -29,7 +29,7 @@ detection: AccessMask: 0x10000 condition: selection1 or selection2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml index 7823e7d4c..3c43072d9 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml @@ -8,7 +8,7 @@ modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) falsepositives: - - unknown + - Unknown level: medium logsource: product: windows diff --git a/rules/windows/builtin/system/win_pcap_drivers.yml b/rules/windows/builtin/system/win_pcap_drivers.yml index 49d47422e..cb844e1f3 100644 --- a/rules/windows/builtin/system/win_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_pcap_drivers.yml @@ -32,7 +32,7 @@ fields: - Originating_Computer - ServiceName falsepositives: - - unknown + - Unknown level: medium tags: - attack.discovery diff --git a/rules/windows/builtin/system/win_susp_system_update_error.yml b/rules/windows/builtin/system/win_susp_system_update_error.yml index 8f38e6893..a5ac5e52c 100644 --- a/rules/windows/builtin/system/win_susp_system_update_error.yml +++ b/rules/windows/builtin/system/win_susp_system_update_error.yml @@ -19,7 +19,7 @@ detection: - 217 # Commit Failure: Windows failed to commit the following update with error condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.impact diff --git a/rules/windows/builtin/system/win_tool_psexec.yml b/rules/windows/builtin/system/win_tool_psexec.yml index d54e00e74..42fff945f 100644 --- a/rules/windows/builtin/system/win_tool_psexec.yml +++ b/rules/windows/builtin/system/win_tool_psexec.yml @@ -33,5 +33,5 @@ detection: ServiceName: 'PSEXESVC' condition: service_installation or service_execution falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 1bc41f106..42ab44305 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -30,5 +30,5 @@ tags: - attack.t1059.007 - attack.t1218.005 falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index 02934f765..daf111a32 100644 --- a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -22,6 +22,6 @@ detection: - '0C88' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index dffb1092d..5e02d5760 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -21,7 +21,7 @@ fields: - TargetFilename - Image falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml index 6b396ffe6..0a9ffb60d 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml @@ -31,5 +31,5 @@ fields: - DestinationIp - DestinationPort falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/file_delete/file_delete_win_delete_appli_log.yml b/rules/windows/file_delete/file_delete_win_delete_appli_log.yml index a2f9df494..5266a1518 100644 --- a/rules/windows/file_delete/file_delete_win_delete_appli_log.yml +++ b/rules/windows/file_delete/file_delete_win_delete_appli_log.yml @@ -17,7 +17,7 @@ detection: Image: C:\Windows\system32\svchost.exe condition: selection_teamviewer and not filter falsepositives: - - unknown + - Unknown level: low tags: - attack.defense_evasion diff --git a/rules/windows/file_event/file_event_win_outlook_newform.yml b/rules/windows/file_event/file_event_win_outlook_newform.yml index 0ee7b8be5..223a23d7a 100644 --- a/rules/windows/file_event/file_event_win_outlook_newform.yml +++ b/rules/windows/file_event/file_event_win_outlook_newform.yml @@ -20,5 +20,5 @@ detection: fields: - TargetFilename falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file_event/file_event_win_startup_folder_file_write.yml index ebb332912..98b59bbff 100644 --- a/rules/windows/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file_event/file_event_win_startup_folder_file_write.yml @@ -16,7 +16,7 @@ detection: TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp' condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.persistence diff --git a/rules/windows/file_event/file_event_win_tool_psexec.yml b/rules/windows/file_event/file_event_win_tool_psexec.yml index d4e3d237b..5c75c696d 100644 --- a/rules/windows/file_event/file_event_win_tool_psexec.yml +++ b/rules/windows/file_event/file_event_win_tool_psexec.yml @@ -31,5 +31,5 @@ detection: TargetFilename|endswith: '\PSEXESVC.exe' condition: sysmon_filecreation falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml index 43e503fff..0c6edd8c2 100755 --- a/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -14,7 +14,7 @@ detection: TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.command_and_control diff --git a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml index 3da25ade8..3f7f2eaec 100644 --- a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml @@ -25,7 +25,7 @@ detection: fields: - TargetFilename falsepositives: - - unknown + - Unknown level: critical tags: - attack.resource_development diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index 38f33c4cd..b1e9c1eea 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -31,5 +31,5 @@ detection: - 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' condition: selection_dll and not filter_legit falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml index cdd19b2a0..0b70fe7d7 100755 --- a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml +++ b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml @@ -32,7 +32,7 @@ detection: timeframe: 30s condition: selector | near dllload1 and dllload2 and not exclusion falsepositives: - - unknown + - Unknown level: medium tags: - attack.s0002 diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index f6b55d616..f935150fd 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -21,5 +21,5 @@ detection: Description|contains: 'st2stager' condition: selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/image_load/image_load_susp_advapi32_dll.yml b/rules/windows/image_load/image_load_susp_advapi32_dll.yml index 73745c9d1..4aafc2f71 100644 --- a/rules/windows/image_load/image_load_susp_advapi32_dll.yml +++ b/rules/windows/image_load/image_load_susp_advapi32_dll.yml @@ -27,7 +27,7 @@ detection: Image|endswith: 'FileCoAuth.exe' condition: selection and not 1 of filter_* falsepositives: - - unknown + - Unknown level: informational tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index 7c636c840..fb56bfbfd 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -24,7 +24,7 @@ detection: - '\mscorlib.dll' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml index 4852c145f..866440fb5 100644 --- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ b/rules/windows/image_load/image_load_susp_system_drawing_load.yml @@ -33,5 +33,5 @@ detection: - 'C:\Windows\System32\NhNotifSys.exe' condition: selection and not 1 of filter* falsepositives: - - unknown + - Unknown level: low # too many false positives \ No newline at end of file diff --git a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml index b7b676eaa..55c9d793e 100644 --- a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml +++ b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml @@ -36,5 +36,5 @@ detection: Image|contains: 'c:\windows\' condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml index f414f2148..714194dea 100755 --- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml @@ -90,7 +90,7 @@ detection: - '127.' condition: selection and not 1 of filter* falsepositives: - - unknown + - Unknown level: medium tags: - attack.command_and_control diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index a75bcb51b..e7644ca93 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -28,5 +28,5 @@ detection: - '::1' condition: selection and selection2 falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 6aaf10275..79d24648f 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -23,7 +23,7 @@ fields: - DestinationIp - DestinationPort falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml index e68489a5f..b67b6c071 100644 --- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml @@ -20,7 +20,7 @@ detection: Initiated: 'true' condition: selection and filter falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0c06e08d6..c88027f44 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -30,7 +30,7 @@ detection: - 'C:\Perflogs\' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.command_and_control diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index 421032085..d87a13800 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -32,5 +32,5 @@ detection: PipeName: '\PSEXESVC' condition: sysmon_pipecreated falsepositives: - - unknown + - Unknown level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index bd1a09cbb..23a33a84c 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -23,5 +23,5 @@ detection: - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe condition: selection and not filter falsepositives: - - unknown + - Unknown level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index f5e493c93..1a6851330 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -22,5 +22,5 @@ detection: - 'char' condition: selection and filter falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index 6429b550c..af98c89a7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -23,5 +23,5 @@ detection: Payload|contains: 'Expand-Archive' condition: selection_4103 falsepositives: - - unknown + - Unknown level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 65e817515..bcc8cb36b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -23,5 +23,5 @@ detection: Payload|contains: 'Get-Clipboard' condition: selection_4103 falsepositives: - - unknown + - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index 5bfdf1b38..36fb17672 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -30,5 +30,5 @@ detection: Payload|endswith: 'readtoend' condition: selection_4103 falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml index 7cb894a5b..600e33579 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml @@ -17,7 +17,7 @@ detection: - '\Windows\System32' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml index 01135fb53..e639d7baf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml @@ -22,7 +22,7 @@ detection: ScriptBlockText|contains: '-recurse' condition: selection and recurse falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index ade15a001..e855b695c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -22,7 +22,7 @@ detection: ScriptBlockText|endswith: 'readtoend' condition: selection_4104 falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index b6784c866..3ff340115 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -26,5 +26,5 @@ detection: ScriptBlockText|contains: '-stream' condition: all of selection* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index 07c262c2e..a7e7ea2b5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -20,7 +20,7 @@ detection: - '.RegisterXLL' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index 6eb01be04..bbc104ada 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml index 16124a1d0..23da97199 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml @@ -23,7 +23,7 @@ detection: - DoesNotRequirePreAuth condition: 1 of test_* falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml index 80a725b09..d613d7246 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml @@ -23,7 +23,7 @@ detection: - 'Win32_Group' condition: 1 of test_* falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml index 691fe178d..c5d2142b3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml @@ -19,7 +19,7 @@ detection: - 'System.DirectoryServices.Protocols.LdapConnection' condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml index 1019e8fda..7a45d7ab6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml @@ -21,7 +21,7 @@ detection: - '$' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml index e9c09a8e5..6800f9f92 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains: get-smbshare condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml index 7e59e4fb9..e6a124409 100644 --- a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml @@ -18,7 +18,7 @@ detection: - '0x1fffff' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index fb8cad71a..1f7310c25 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -14,7 +14,7 @@ detection: CallTrace|startswith: 'UNKNOWN' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index faf00f958..79a21ccf6 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -21,5 +21,5 @@ detection: CallTrace|contains: 'UNKNOWN' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml index 7d79eb575..3261aca76 100644 --- a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml @@ -17,7 +17,7 @@ detection: - 'UNKNOWN' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml index f3482258d..e288ae455 100644 --- a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml @@ -22,7 +22,7 @@ fields: - TargetImage - CallTrace falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml index 35abd86d3..4d574d34f 100755 --- a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml @@ -24,7 +24,7 @@ detection: CallTrace|contains: '|UNKNOWN' condition: selection and 1 of combination* falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml index 24e602704..5e8487936 100644 --- a/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml @@ -40,7 +40,7 @@ fields: - User - CommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml index b1c55d0e3..73c815892 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml @@ -20,7 +20,7 @@ detection: - '$' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml b/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml index fcc4833e3..de3673e4d 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml @@ -18,7 +18,7 @@ detection: - cmd.exe /c taskkill /im cmd.exe condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml index 8c97666b9..fff99d1d5 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml @@ -28,7 +28,7 @@ detection: - 'c:\users\' condition: selection1 or selection2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml index 15cb6e19e..8b731bfb3 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml @@ -29,5 +29,5 @@ detection: - 'e570585edc69f9074cb5e8a790708336bd45ca0f' condition: legitimate_executable and not legitimate_process_path falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml index eeb3dbded..ce0731a5d 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml @@ -40,5 +40,5 @@ detection: - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: exec_selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml index c7606ca3c..d768afac4 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml @@ -25,7 +25,7 @@ detection: Image: C:\Users\Public\7za.exe condition: selection1 or selection2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml index 6733b9eeb..95d5e2288 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml @@ -38,5 +38,5 @@ detection: - '.db,' condition: ( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 ) falsepositives: - - unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml index e9f887454..de1599d4b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml @@ -21,7 +21,7 @@ detection: - 'C:\Windows\SysWOW64\' condition: selection and not filter falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml b/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml index 9f0add88c..f13454dc1 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml @@ -22,7 +22,7 @@ detection: CommandLine|contains: 'loaddll -a ' condition: selection falsepositives: - - unknown + - Unknown level: critical fields: - EventID diff --git a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml index 25182ae2a..06040fd9b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml @@ -16,7 +16,7 @@ detection: ParentImage|endswith: '\wmiprvse.exe' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml index 8d361c2c1..7dc95edf6 100644 --- a/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml @@ -22,5 +22,5 @@ detection: - 'reg add' condition: selection_cmdline falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml index 58092c51d..18c8b7390 100644 --- a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml +++ b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml @@ -24,7 +24,7 @@ detection: - '-keepVersions:0' condition: all of wbadmin_* falsepositives: - - unknown + - Unknown level: high tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml index 6abc90c2d..cc35645cb 100644 --- a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml @@ -16,7 +16,7 @@ detection: CurrentDirectory|endswith: '\hxtsr.exe' condition: selection and not filter falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml index e41e4d43e..d186a29de 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml @@ -26,7 +26,7 @@ detection: - '/serverlevelplugindll' condition: dnsadmin falsepositives: - - unknown + - Unknown level: high fields: - EventID diff --git a/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml index 59c1c21d6..6d48a11f0 100644 --- a/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml @@ -21,7 +21,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_encoded_iex.yml b/rules/windows/process_creation/proc_creation_win_encoded_iex.yml index d3c556967..c22669b2e 100644 --- a/rules/windows/process_creation/proc_creation_win_encoded_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_encoded_iex.yml @@ -34,7 +34,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml index 285ede822..f0cc9a06d 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml @@ -30,7 +30,7 @@ detection: - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions' condition: reg and hive falsepositives: - - unknown + - Unknown level: medium tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 16252c8da..4717c23c2 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains: 'COMPlus_ETWEnabled=0' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml index e18716b04..9766f615b 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml @@ -18,7 +18,7 @@ detection: fields: - CommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml b/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml index 7545a1827..77816a02a 100644 --- a/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml @@ -25,5 +25,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml index 9080a46f3..eb1ff5b87 100644 --- a/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml @@ -47,7 +47,7 @@ fields: - ParentProcess - CommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.t1211 diff --git a/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml b/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml index c3cef36b1..1cae4941d 100644 --- a/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml +++ b/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml @@ -17,7 +17,7 @@ detection: IntegrityLevel: 'High' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml b/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml index 6eb7b0667..0c88271df 100644 --- a/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml @@ -26,7 +26,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml index ccd852955..691ababcb 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml @@ -21,7 +21,7 @@ detection: CommandLine|endswith: 'readtoend' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml b/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml index a3ada3325..3070179c1 100644 --- a/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml +++ b/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml @@ -19,5 +19,5 @@ detection: - aspnet_compiler.exe condition: selection falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lobas_bash.yml b/rules/windows/process_creation/proc_creation_win_lobas_bash.yml index ffe5a4f6a..7214f0343 100644 --- a/rules/windows/process_creation/proc_creation_win_lobas_bash.yml +++ b/rules/windows/process_creation/proc_creation_win_lobas_bash.yml @@ -19,5 +19,5 @@ detection: - '-c ' condition: selection falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml b/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml index ed6eef040..9e38bb185 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml @@ -22,5 +22,5 @@ detection: - 'ftp://' condition: lolbas and remote falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml index 9fb92a016..f52cc0c0c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml @@ -20,5 +20,5 @@ detection: - '.cab' condition: lolbas falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml index e37a63a2d..26715115b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml @@ -17,5 +17,5 @@ detection: CommandLine|contains: Extexport.exe condition: lolbas falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml index 681305e2e..2239e1ca9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml @@ -24,5 +24,5 @@ detection: - ' \\' condition: lolbas and options falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml index 57d431986..298fb9aa5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml @@ -20,5 +20,5 @@ detection: CommandLine|re: ':[^\\\\]' condition: lolbas falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml index 9aec80749..7053d03df 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml @@ -18,7 +18,7 @@ detection: CurrentDirectory: null condition: lolbas and not 1 of filter_* falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml index b22fbc7e9..0297a55fc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml @@ -16,7 +16,7 @@ detection: - '/A' condition: lolbas falsepositives: - - unknown + - Unknown level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml index bc46eeccb..2241ded9a 100644 --- a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml +++ b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml @@ -20,7 +20,7 @@ detection: - ' -FilePath \\\\127.0.0.1\\C$' condition: selection falsepositives: - - unknown + - Unknown level: critical fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml b/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml index dc66bb56a..c5ff7aa41 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml @@ -28,5 +28,5 @@ detection: CommandLine|endswith: 'COR_PROFILER' condition: sc_cmd or wmic_cmd falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml index 465d9c9de..2f66c8dc7 100644 --- a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: ' /INJECTRUNNING ' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.t1055.001 diff --git a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index 0adec45fa..b0f591390 100644 --- a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -67,5 +67,5 @@ detection: - '.pl' condition: 1 of selection_cmdline_* falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml index 6a83af5e9..845e0dae1 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml @@ -21,7 +21,7 @@ fields: - User - CommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_office_shell.yml b/rules/windows/process_creation/proc_creation_win_office_shell.yml index c333177bc..a5bb9fa2d 100644 --- a/rules/windows/process_creation/proc_creation_win_office_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_office_shell.yml @@ -47,7 +47,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index c920f4450..cb55b83bf 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -34,5 +34,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_outlook_shell.yml b/rules/windows/process_creation/proc_creation_win_outlook_shell.yml index 71e695cf7..e1f2a1e50 100644 --- a/rules/windows/process_creation/proc_creation_win_outlook_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_outlook_shell.yml @@ -56,7 +56,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_download.yml index f68352373..f9637d41d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download.yml @@ -23,7 +23,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 7b42b8dd9..487acdcbd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -25,7 +25,7 @@ detection: - C:\Program Files\Amazon\SSM\ssm-document-worker.exe condition: selection and filter and not false_positives falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 54f58c18f..c17fe5de4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -23,7 +23,7 @@ detection: - '/d ' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_run_from_zip.yml b/rules/windows/process_creation/proc_creation_win_run_from_zip.yml index e7fc41db3..cca0a3e26 100644 --- a/rules/windows/process_creation/proc_creation_win_run_from_zip.yml +++ b/rules/windows/process_creation/proc_creation_win_run_from_zip.yml @@ -14,7 +14,7 @@ detection: Image|contains: '.zip\' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml index ddcae5ee2..120e7670a 100644 --- a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml @@ -34,5 +34,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml index dcba32e7e..8606c0e42 100644 --- a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml @@ -16,7 +16,7 @@ detection: ParentImage|endswith: '\sdclt.exe' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml b/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml index bc5d7d4b2..8cb212b0f 100644 --- a/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml @@ -18,5 +18,5 @@ detection: Description|contains: 'st2stager' condition: selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml index 22257a097..22466e28f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml @@ -19,7 +19,7 @@ detection: - '-encode' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml index 791898f77..75a8be92a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml @@ -23,7 +23,7 @@ detection: - 'ΒΆ' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml index 15c5bdfad..0c0d63abc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: ' /w:' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml index 2bd94ad65..829567483 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml @@ -25,5 +25,5 @@ detection: - '/lan ' condition: cmdl32 and options falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml b/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml index 6aefefbfe..e82b89a35 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml @@ -27,7 +27,7 @@ detection: ParentImage|startswith: 'C:\Program' condition: selection and not falsepositive falsepositives: - - unknown + - Unknown level: high tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml index 9a74827f3..df08b20f3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml @@ -26,7 +26,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_del.yml b/rules/windows/process_creation/proc_creation_win_susp_del.yml index 7ca3e7950..c065e0976 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_del.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_del.yml @@ -25,5 +25,5 @@ detection: condition: susp_del_exe or susp_del_dll #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_dir.yml index 124c6e4e7..5d9e52657 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dir.yml @@ -17,7 +17,7 @@ detection: - ' /b' condition: dir falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml index 27e7abff3..757f5db20 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml @@ -20,7 +20,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_format.yml b/rules/windows/process_creation/proc_creation_win_susp_format.yml index 8ac166b9a..bf7f5f1a3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_format.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_format.yml @@ -25,5 +25,5 @@ detection: - '/fs:ReFS' condition: selection and not 1 of filter* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index bcdd3e29e..05d19eed8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -30,5 +30,5 @@ detection: - 'MemCompression' condition: not image_absolute_path and not 1 of filter* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml b/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml index b4ee08af1..279ff01f6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml @@ -24,7 +24,7 @@ detection: - ' sessions ' condition: netstat or (net_cmd and net_opt) falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 7e864aaee..4489c65b7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -78,6 +78,6 @@ detection: - '.rbs' condition: not known_image_extension and not 1 of filter* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_outlook.yml b/rules/windows/process_creation/proc_creation_win_susp_outlook.yml index 55ef07833..0dc795a59 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_outlook.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_outlook.yml @@ -22,7 +22,7 @@ detection: - '.exe' condition: clientMailRules or outlookExec falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml index eab62357c..459111265 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml @@ -21,7 +21,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml index 5894d957c..040477109 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml @@ -17,5 +17,5 @@ detection: - '> \\\\localhost\\admin$' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml index 5949587fa..39795b0cd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml @@ -32,5 +32,5 @@ detection: - 'RecoveryKeyMessage' condition: set and key falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml index d189fee78..d5231b3d5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml @@ -31,7 +31,7 @@ detection: - 'hkcu\software\classes\ms-settings' condition: 1 of selection_* falsepositives: - - unknown + - Unknown level: medium tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml index 4f232b8ce..28d587b80 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml @@ -19,5 +19,5 @@ detection: CommandLine|endswith: '.jpg' # can add other condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml index a9103c537..df1dbfa8e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml @@ -22,7 +22,7 @@ detection: - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' condition: image and not filter_parent falsepositives: - - unknown + - Unknown level: low tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index 05d55fb8d..3c704f06d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -22,6 +22,6 @@ detection: - ';document.write();GetObject("script' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml b/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml index 7921b4eaf..8c7395284 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml @@ -14,7 +14,7 @@ detection: CommandLine|contains: 'sc query' condition: sc_query falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml index c0273b06d..64c8fe044 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml @@ -26,5 +26,5 @@ detection: - '\klcp_update_task.xml' condition: schtasks and option and not 1 of filter_* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml index f9f4422d2..a9735d53f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml @@ -40,5 +40,5 @@ detection: - '\AppVLP.exe' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml index 68666a91e..bbaf07923 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml @@ -33,7 +33,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml index dad55bb72..4149781b4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml index e197ac668..e35eaa87e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml @@ -21,7 +21,7 @@ detection: - 'places.sqlite' condition: all of where_* falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml b/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml index 427cf76ea..767cc0e02 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml @@ -29,5 +29,5 @@ detection: - '.zip' condition: run or delete falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml index a64b4b6ef..9723e3670 100644 --- a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml @@ -18,7 +18,7 @@ detection: CommandLine|contains: ' group' condition: test_5 falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml index 8ccb98db3..32e4c292e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml @@ -29,5 +29,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml index a6e7c236e..d8e539dc6 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml @@ -32,5 +32,5 @@ detection: User|startswith: 'NT AUTHORITY\SYSTEM' condition: sysmon_processcreation falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml index e9a92cdbb..9daf1df83 100644 --- a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml +++ b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: '-u' condition: sysmon falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml index 883c3fc7f..4b7cf1ccc 100644 --- a/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml @@ -25,7 +25,7 @@ fields: - TargetFilename - Image falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index ea60a52bd..aacaaae88 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -19,7 +19,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.t1203 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index fea0fc749..02d01a599 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -67,5 +67,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml index 6ae3785b5..e8e0774a2 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml @@ -34,7 +34,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry_event/registry_event_add_local_hidden_user.yml index 08b8f9352..08097055a 100644 --- a/rules/windows/registry_event/registry_event_add_local_hidden_user.yml +++ b/rules/windows/registry_event/registry_event_add_local_hidden_user.yml @@ -20,5 +20,5 @@ detection: Image|endswith: 'lsass.exe' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry_event/registry_event_apt_pandemic.yml index eef303ef2..ae48ef5e2 100755 --- a/rules/windows/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry_event/registry_event_apt_pandemic.yml @@ -19,7 +19,7 @@ detection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: selection falsepositives: - - unknown + - Unknown level: critical fields: - EventID diff --git a/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml index f4037542f..08c3f7ea2 100644 --- a/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml @@ -22,7 +22,7 @@ fields: - EventType - TargetObject falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml b/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml index 9d7818cbf..e21e4b644 100644 --- a/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml +++ b/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml @@ -33,5 +33,5 @@ detection: - 'powershell' condition: selection1 and (selection2 or selection3) falsepositives: - - unknown + - Unknown level: critical \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_comhijack_sdclt.yml b/rules/windows/registry_event/registry_event_comhijack_sdclt.yml index 4f4bcdb13..96217d7a8 100644 --- a/rules/windows/registry_event/registry_event_comhijack_sdclt.yml +++ b/rules/windows/registry_event/registry_event_comhijack_sdclt.yml @@ -17,7 +17,7 @@ detection: - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.privilege_escalation diff --git a/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml b/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml index 99fb16bc1..1ad7fb060 100755 --- a/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml @@ -19,7 +19,7 @@ detection: - '\Services\DHCPServer\Parameters\CalloutEnabled' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml b/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml index bbf21c9fc..7cacb2c85 100644 --- a/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml +++ b/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml @@ -33,5 +33,5 @@ detection: Details: 'DWORD (0x00000001)' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml index 938a1f7c1..20f2abd92 100755 --- a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -20,7 +20,7 @@ detection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: dnsregmod falsepositives: - - unknown + - Unknown level: high fields: - EventID diff --git a/rules/windows/registry_event/registry_event_etw_disabled.yml b/rules/windows/registry_event/registry_event_etw_disabled.yml index 5253af2c4..a28b1099b 100644 --- a/rules/windows/registry_event/registry_event_etw_disabled.yml +++ b/rules/windows/registry_event/registry_event_etw_disabled.yml @@ -25,7 +25,7 @@ detection: Details: 'DWORD (0x00000000)' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry_event/registry_event_mal_azorult.yml index 8825a00e7..6762965f6 100644 --- a/rules/windows/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry_event/registry_event_mal_azorult.yml @@ -23,7 +23,7 @@ fields: - TargetObject - TargetDetails falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml b/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml index ba78af086..1544a4286 100644 --- a/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml +++ b/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml @@ -22,5 +22,5 @@ detection: TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' condition: mod_reg falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml index 25b700088..096469ad9 100644 --- a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml +++ b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml @@ -23,5 +23,5 @@ detection: TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml index fb729a92c..73d893dda 100755 --- a/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml @@ -18,7 +18,7 @@ detection: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml index 8513edd9e..a98f749d3 100644 --- a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml @@ -33,5 +33,5 @@ detection: fields: - Details falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_outlook_registry_webview.yml b/rules/windows/registry_event/registry_event_outlook_registry_webview.yml index b52181a52..64ded1cfb 100644 --- a/rules/windows/registry_event/registry_event_outlook_registry_webview.yml +++ b/rules/windows/registry_event/registry_event_outlook_registry_webview.yml @@ -28,5 +28,5 @@ detection: fields: - Details falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_persistence.yml b/rules/windows/registry_event/registry_event_persistence.yml index 2014a9f78..7af6f2753 100755 --- a/rules/windows/registry_event/registry_event_persistence.yml +++ b/rules/windows/registry_event/registry_event_persistence.yml @@ -26,7 +26,7 @@ detection: - '\MonitorProcess' condition: selection_reg1 and selection_reg2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.privilege_escalation diff --git a/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml index f9cd9cabf..02885d46f 100644 --- a/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml @@ -21,5 +21,5 @@ tags: - attack.persistence - attack.t1547 falsepositives: - - unknown + - Unknown level: critical diff --git a/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml b/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml index 20ff152cb..ff45084c2 100755 --- a/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml +++ b/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml @@ -23,7 +23,7 @@ detection: - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' condition: selection_reg falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml b/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml index 9428a3d39..bc18c0460 100644 --- a/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml +++ b/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml @@ -22,5 +22,5 @@ detection: - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml index c28567261..2e70fd9fc 100644 --- a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml @@ -32,7 +32,7 @@ detection: TargetObject|startswith: 'HKCR\Dropbox.' condition: selection and not 1 of filter_* falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml index ea6a92f21..fa92b605d 100644 --- a/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml @@ -19,5 +19,5 @@ detection: TargetObject|contains: '\Software\Sysinternals\SDelete' condition: selection falsepositives: - - unknown + - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_telemetry_persistence.yml b/rules/windows/registry_event/registry_event_telemetry_persistence.yml index 8f438c6a1..3aa1029b3 100644 --- a/rules/windows/registry_event/registry_event_telemetry_persistence.yml +++ b/rules/windows/registry_event/registry_event_telemetry_persistence.yml @@ -24,7 +24,7 @@ detection: - '\system32\DeviceCensus.exe' condition: selection and not filter falsepositives: - - unknown + - Unknown level: critical tags: - attack.persistence diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml index bb1ad8524..137219d47 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -17,7 +17,7 @@ detection: TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml b/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml index cbb40e35c..01bc5c6c6 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml @@ -20,7 +20,7 @@ detection: Details|contains: '-1???\Software\Classes\' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion