From b23eee6ebf43f4b220e95fabe118574d1b5790f3 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 16 Mar 2022 13:43:54 +0100 Subject: [PATCH 1/7] fix: unknown --> Unknown --- .../driver_load_invoke_obfuscation_via_compress_services.yml | 2 +- rules-unsupported/sysmon_process_reimaging.yml | 2 +- .../rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml | 2 +- rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml | 2 +- .../rpc_firewall_itaskschedulerservice_lateral_movement.yml | 2 +- .../rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml | 2 +- .../rpc_firewall/rpc_firewall_sasec_lateral_movement.yml | 2 +- rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml | 2 +- rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml | 2 +- rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml | 2 +- rules/cloud/aws/aws_rds_public_db_restore.yml | 2 +- rules/compliance/default_credentials_usage.yml | 2 +- rules/compliance/firewall_cleartext_protocols.yml | 2 +- rules/compliance/group_modification_logging.yml | 2 +- rules/compliance/netflow_cleartext_protocols.yml | 2 +- rules/compliance/workstation_was_locked.yml | 2 +- rules/linux/auditd/lnx_auditd_cve_2021_4034.yml | 2 +- .../network/zeek/zeek_http_executable_download_from_webdav.yml | 2 +- rules/network/zeek/zeek_http_webdav_put_request.yml | 2 +- rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml | 2 +- rules/web/web_source_code_enumeration.yml | 2 +- rules/windows/builtin/dns_server/win_apt_gallium.yml | 2 +- .../win_exchange_proxyshell_remove_mailbox_export.yml | 2 +- .../win_arbitrary_shell_execution_via_settingcontent.yml | 2 +- rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml | 2 +- rules/windows/builtin/security/win_etw_modification.yml | 2 +- rules/windows/builtin/security/win_hidden_user_creation.yml | 2 +- .../win_invoke_obfuscation_via_compress_services_security.yml | 2 +- rules/windows/builtin/security/win_rdp_reverse_tunnel.yml | 2 +- .../builtin/security/win_sysmon_channel_reference_deletion.yml | 2 +- .../system/win_invoke_obfuscation_via_compress_services.yml | 2 +- rules/windows/builtin/system/win_pcap_drivers.yml | 2 +- rules/windows/builtin/system/win_susp_system_update_error.yml | 2 +- rules/windows/builtin/system/win_tool_psexec.yml | 2 +- rules/windows/create_remote_thread/sysmon_cactustorch.yml | 2 +- .../sysmon_cobaltstrike_process_injection.yml | 2 +- rules/windows/create_stream_hash/sysmon_ads_executable.yml | 2 +- .../dns_query/dns_query_win_regsvr32_network_activity.yml | 2 +- rules/windows/file_delete/file_delete_win_delete_appli_log.yml | 2 +- rules/windows/file_event/file_event_win_outlook_newform.yml | 2 +- .../file_event/file_event_win_startup_folder_file_write.yml | 2 +- rules/windows/file_event/file_event_win_tool_psexec.yml | 2 +- .../file_event/file_event_win_tsclient_filewrite_startup.yml | 2 +- .../file_event/file_event_win_winword_cve_2021_40444.yml | 2 +- .../windows/image_load/image_load_abusing_azure_browser_sso.yml | 2 +- .../image_load/image_load_mimikatz_inmemory_detection.yml | 2 +- rules/windows/image_load/image_load_silenttrinity_stage_use.yml | 2 +- rules/windows/image_load/image_load_susp_advapi32_dll.yml | 2 +- .../image_load/image_load_susp_script_dotnet_clr_dll_load.yml | 2 +- .../windows/image_load/image_load_susp_system_drawing_load.yml | 2 +- rules/windows/image_load/image_load_suspicious_vss_ps_load.yml | 2 +- .../net_connection_win_malware_backconnect_ports.yml | 2 +- .../net_connection_win_rdp_reverse_tunnel.yml | 2 +- .../net_connection_win_regsvr32_network_activity.yml | 2 +- ...net_connection_win_silenttrinity_stager_msbuild_activity.yml | 2 +- ...net_connection_win_susp_prog_location_network_connection.yml | 2 +- rules/windows/pipe_created/pipe_created_tool_psexec.yml | 2 +- .../powershell_classic/posh_pc_renamed_powershell.yml | 2 +- .../powershell/powershell_classic/posh_pc_xor_commandline.yml | 2 +- .../powershell_module/posh_pm_decompress_commands.yml | 2 +- .../powershell/powershell_module/posh_pm_get_clipboard.yml | 2 +- .../posh_pm_invoke_obfuscation_via_compress.yml | 2 +- .../powershell/powershell_script/posh_ps_copy_item_system32.yml | 2 +- .../powershell_script/posh_ps_file_and_directory_discovery.yml | 2 +- .../posh_ps_invoke_obfuscation_via_compress.yml | 2 +- .../powershell/powershell_script/posh_ps_ntfs_ads_access.yml | 2 +- .../powershell_script/posh_ps_office_comobject_registerxll.yml | 2 +- .../powershell_script/posh_ps_request_kerberos_ticket.yml | 2 +- .../powershell_script/posh_ps_suspicious_ad_group_reco.yml | 2 +- .../powershell_script/posh_ps_suspicious_local_group_reco.yml | 2 +- .../powershell_script/posh_ps_suspicious_networkcredential.yml | 2 +- .../powershell_script/posh_ps_suspicious_new_psdrive.yml | 2 +- .../powershell_script/posh_ps_suspicious_smb_share_reco.yml | 2 +- .../proc_access_win_cobaltstrike_bof_injection_pattern.yml | 2 +- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- rules/windows/process_access/proc_access_win_invoke_phantom.yml | 2 +- .../proc_access_win_littlecorporal_generated_maldoc.yml | 2 +- ..._access_win_load_undocumented_autoelevated_com_interface.yml | 2 +- .../proc_access_win_malware_verclsid_shellcode.yml | 2 +- .../proc_creation_win_abusing_debug_privilege.yml | 2 +- .../process_creation/proc_creation_win_apt_apt29_thinktanks.yml | 2 +- .../process_creation/proc_creation_win_apt_babyshark.yml | 2 +- .../proc_creation_win_apt_bear_activity_gtr19.yml | 2 +- .../windows/process_creation/proc_creation_win_apt_gallium.yml | 2 +- .../process_creation/proc_creation_win_apt_gallium_sha1.yml | 2 +- .../proc_creation_win_apt_judgement_panda_gtr19.yml | 2 +- .../process_creation/proc_creation_win_apt_lazarus_loader.yml | 2 +- .../proc_creation_win_apt_lazarus_session_highjack.yml | 2 +- .../windows/process_creation/proc_creation_win_apt_pandemic.yml | 2 +- .../process_creation/proc_creation_win_apt_ta505_dropper.yml | 2 +- .../proc_creation_win_credential_access_via_password_filter.yml | 2 +- .../proc_creation_win_delete_systemstatebackup.yml | 2 +- .../proc_creation_win_detecting_fake_instances_of_hxtsr.yml | 2 +- .../proc_creation_win_dns_serverlevelplugindll.yml | 2 +- .../proc_creation_win_encoded_frombase64string.yml | 2 +- .../windows/process_creation/proc_creation_win_encoded_iex.yml | 2 +- ...roc_creation_win_enumeration_for_credentials_in_registry.yml | 2 +- .../proc_creation_win_etw_modification_cmdline.yml | 2 +- .../proc_creation_win_exploit_cve_2017_11882.yml | 2 +- .../proc_creation_win_headless_browser_file_download.yml | 2 +- .../proc_creation_win_hiding_malware_in_fonts_folder.yml | 2 +- .../process_creation/proc_creation_win_high_integrity_sdclt.yml | 2 +- .../process_creation/proc_creation_win_html_help_spawn.yml | 2 +- .../proc_creation_win_invoke_obfuscation_via_compress.yml | 2 +- .../proc_creation_win_lobas_aspnet_compiler.yml | 2 +- rules/windows/process_creation/proc_creation_win_lobas_bash.yml | 2 +- .../proc_creation_win_lolbas_configsecuritypolicy.yml | 2 +- .../proc_creation_win_lolbas_diantz_remote_cab.yml | 2 +- .../process_creation/proc_creation_win_lolbas_extexport.yml | 2 +- .../process_creation/proc_creation_win_lolbas_extrac32.yml | 2 +- .../process_creation/proc_creation_win_lolbas_extrac32_ads.yml | 2 +- .../proc_creation_win_lolbas_offlinescannershell.yml | 2 +- .../process_creation/proc_creation_win_lolbas_replace.yml | 2 +- .../process_creation/proc_creation_win_mailboxexport_share.yml | 2 +- .../process_creation/proc_creation_win_mal_blue_mockingbird.yml | 2 +- .../process_creation/proc_creation_win_mavinject_proc_inj.yml | 2 +- .../proc_creation_win_modif_of_services_for_via_commandline.yml | 2 +- .../process_creation/proc_creation_win_mshta_javascript.yml | 2 +- .../windows/process_creation/proc_creation_win_office_shell.yml | 2 +- .../proc_creation_win_office_spawn_exe_from_users_directory.yml | 2 +- .../process_creation/proc_creation_win_outlook_shell.yml | 2 +- .../process_creation/proc_creation_win_powershell_download.yml | 2 +- .../proc_creation_win_powershell_xor_commandline.yml | 2 +- .../proc_creation_win_reg_service_imagepath_change.yml | 2 +- .../windows/process_creation/proc_creation_win_run_from_zip.yml | 2 +- .../proc_creation_win_script_event_consumer_spawn.yml | 2 +- .../process_creation/proc_creation_win_sdclt_child_process.yml | 2 +- .../proc_creation_win_silenttrinity_stage_use.yml | 2 +- .../process_creation/proc_creation_win_susp_certutil_encode.yml | 2 +- .../process_creation/proc_creation_win_susp_char_in_cmd.yml | 2 +- .../windows/process_creation/proc_creation_win_susp_cipher.yml | 2 +- .../process_creation/proc_creation_win_susp_cmdl32_lolbas.yml | 2 +- .../proc_creation_win_susp_compression_params.yml | 2 +- .../proc_creation_win_susp_comsvcs_procdump.yml | 2 +- rules/windows/process_creation/proc_creation_win_susp_del.yml | 2 +- rules/windows/process_creation/proc_creation_win_susp_dir.yml | 2 +- .../process_creation/proc_creation_win_susp_findstr_lnk.yml | 2 +- .../windows/process_creation/proc_creation_win_susp_format.yml | 2 +- .../process_creation/proc_creation_win_susp_image_missing.yml | 2 +- .../proc_creation_win_susp_network_listing_connections.yml | 2 +- .../process_creation/proc_creation_win_susp_non_exe_image.yml | 2 +- .../windows/process_creation/proc_creation_win_susp_outlook.yml | 2 +- .../proc_creation_win_susp_powershell_empire_uac_bypass.yml | 2 +- .../proc_creation_win_susp_redir_local_admin_share.yml | 2 +- .../process_creation/proc_creation_win_susp_reg_bitlocker.yml | 2 +- .../proc_creation_win_susp_reg_open_command.yml | 2 +- .../process_creation/proc_creation_win_susp_regsvr32_image.yml | 2 +- .../process_creation/proc_creation_win_susp_run_folder.yml | 2 +- .../proc_creation_win_susp_rundll32_js_runhtmlapplication.yml | 2 +- .../process_creation/proc_creation_win_susp_sc_query.yml | 2 +- .../proc_creation_win_susp_schtasks_user_temp.yml | 2 +- .../proc_creation_win_susp_shell_spawn_by_java_keytool.yml | 2 +- .../proc_creation_win_susp_trolleyexpress_procdump.yml | 2 +- .../proc_creation_win_susp_webdav_client_execution.yml | 2 +- .../process_creation/proc_creation_win_susp_where_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_susp_zipexec.yml | 2 +- .../process_creation/proc_creation_win_suspicious_ad_reco.yml | 2 +- .../proc_creation_win_sysmon_uac_bypass_eventvwr.yml | 2 +- .../windows/process_creation/proc_creation_win_tool_psexec.yml | 2 +- .../process_creation/proc_creation_win_uninstall_sysmon.yml | 2 +- .../proc_creation_win_using_settingsynchost_as_lolbin.yml | 2 +- .../proc_creation_win_vul_java_remote_debugging.yml | 2 +- .../process_creation/proc_creation_win_webshell_detection.yml | 2 +- .../proc_creation_win_webshell_recon_detection.yml | 2 +- .../registry_event/registry_event_add_local_hidden_user.yml | 2 +- rules/windows/registry_event/registry_event_apt_pandemic.yml | 2 +- .../registry_event/registry_event_bypass_via_wsreset.yml | 2 +- .../registry_event_cobaltstrike_service_installs.yml | 2 +- rules/windows/registry_event/registry_event_comhijack_sdclt.yml | 2 +- rules/windows/registry_event/registry_event_dhcp_calloutdll.yml | 2 +- ...egistry_event_disable_microsoft_office_security_features.yml | 2 +- .../registry_event/registry_event_dns_serverlevelplugindll.yml | 2 +- rules/windows/registry_event/registry_event_etw_disabled.yml | 2 +- rules/windows/registry_event/registry_event_mal_azorult.yml | 2 +- .../registry_event/registry_event_mal_blue_mockingbird.yml | 2 +- .../registry_event/registry_event_mstsc_history_cleared.yml | 2 +- .../registry_event_narrator_feedback_persistance.yml | 2 +- .../registry_event_outlook_registry_todaypage.yml | 2 +- .../registry_event/registry_event_outlook_registry_webview.yml | 2 +- rules/windows/registry_event/registry_event_persistence.yml | 2 +- .../registry_event/registry_event_persistence_recycle_bin.yml | 2 +- .../registry_event/registry_event_rdp_settings_hijack.yml | 2 +- .../registry_event/registry_event_removal_amsi_registry_key.yml | 2 +- .../registry_event_removal_com_hijacking_registry_key.yml | 2 +- .../registry_event_sysinternals_sdelete_registry_keys.yml | 2 +- .../registry_event/registry_event_telemetry_persistence.yml | 2 +- .../registry_event/registry_event_uac_bypass_eventvwr.yml | 2 +- .../windows/registry_event/registry_event_uac_bypass_sdclt.yml | 2 +- 188 files changed, 188 insertions(+), 188 deletions(-) diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml index b97a2ad42..53a1cc506 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml @@ -24,7 +24,7 @@ detection: ImagePath|endswitch: 'readtoend' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml index 89530befa..6d6b0e27d 100644 --- a/rules-unsupported/sysmon_process_reimaging.yml +++ b/rules-unsupported/sysmon_process_reimaging.yml @@ -22,7 +22,7 @@ modified: 2021/12/02 detection: condition: all of selection* falsepositives: - - unknown + - Unknown level: high --- logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 74039ee14..66ec17a1d 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -30,5 +30,5 @@ detection: - 1 condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 4ee610ce7..9bece1cfc 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -27,5 +27,5 @@ detection: - 1 condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index e6cf10772..f2b230198 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -38,5 +38,5 @@ detection: - 15 condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 67ed17d74..8df44f543 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -33,5 +33,5 @@ detection: - 15 condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 0e0151b04..45f389dcd 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -30,5 +30,5 @@ detection: - 1 condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index aa28a4bc5..1ce665d32 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -26,5 +26,5 @@ detection: - 1 condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml index 0cbbce502..fac7b591d 100644 --- a/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml @@ -15,7 +15,7 @@ detection: eventName: DeleteFileSystem condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml index 86583bdf8..59b3e7304 100644 --- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -15,7 +15,7 @@ detection: eventName: DeleteMountTarget condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index b3bf32e71..dbc413919 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -17,7 +17,7 @@ detection: eventName: RestoreDBInstanceFromDBSnapshot condition: selection_source falsepositives: - - unknown + - Unknown level: high tags: - attack.exfiltration diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index fa9c67ce3..c224c84d9 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -79,7 +79,7 @@ detection: - 87106 condition: selection falsepositives: - - unknown + - Unknown level: medium # tags: # - CSC4 diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/compliance/firewall_cleartext_protocols.yml index a0916b7c0..1a1f3d7e9 100644 --- a/rules/compliance/firewall_cleartext_protocols.yml +++ b/rules/compliance/firewall_cleartext_protocols.yml @@ -38,7 +38,7 @@ detection: - 2 condition: selection1 and selection2 falsepositives: - - unknown + - Unknown level: low # tags: # - CSC4 diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index 68fc146fd..703ccfdb6 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -31,7 +31,7 @@ detection: - 634 condition: selection falsepositives: - - unknown + - Unknown level: low # tags: # - CSC4 diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml index 455d225c3..4bf1b1210 100644 --- a/rules/compliance/netflow_cleartext_protocols.yml +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -75,5 +75,5 @@ detection: - 5904 condition: selection falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 0cb5033c4..50e682026 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -19,7 +19,7 @@ detection: - 4800 condition: selection falsepositives: - - unknown + - Unknown level: low # tags: # - CSC16 diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index fd3531e09..1c3b6cbab 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -24,5 +24,5 @@ tags: - attack.privilege_escalation - attack.t1068 falsepositives: - - unknown + - Unknown level: high diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index ac1f505b9..cb04ce559 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -20,7 +20,7 @@ detection: - c-uri|endswith: '.exe' condition: selection_webdav and selection_executable falsepositives: - - unknown + - Unknown level: medium tags: - attack.command_and_control diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml index bb86f47a2..ed3a28834 100644 --- a/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -21,7 +21,7 @@ detection: - 10.0.0.0/8 condition: selection and not filter falsepositives: - - unknown + - Unknown level: low tags: - attack.exfiltration diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 952010ffb..e0e7ef851 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -17,7 +17,7 @@ detection: #Accesses: '*WriteData*' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/web/web_source_code_enumeration.yml b/rules/web/web_source_code_enumeration.yml index 84819110c..51e3015bd 100644 --- a/rules/web/web_source_code_enumeration.yml +++ b/rules/web/web_source_code_enumeration.yml @@ -20,7 +20,7 @@ fields: - url - response falsepositives: - - unknown + - Unknown level: medium tags: - attack.discovery diff --git a/rules/windows/builtin/dns_server/win_apt_gallium.yml b/rules/windows/builtin/dns_server/win_apt_gallium.yml index 810af5f56..9e3ff3d54 100644 --- a/rules/windows/builtin/dns_server/win_apt_gallium.yml +++ b/rules/windows/builtin/dns_server/win_apt_gallium.yml @@ -31,5 +31,5 @@ detection: - 'cvdfhjh1231.ddns.net' condition: c2_selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index d9c8fcfed..663155d08 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -16,7 +16,7 @@ detection: - ' -Confirm "False"' condition: all of command falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml index 252c8334c..a17fd4130 100644 --- a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml @@ -22,7 +22,7 @@ detection: FilePath|contains: 'immersivecontrolpanel' condition: selection and not filter falsepositives: - - unknown + - Unknown fields: - ParentProcess - CommandLine diff --git a/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml index 2ea2e8cd4..223390846 100644 --- a/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml +++ b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml @@ -37,7 +37,7 @@ detection: - '.inf' condition: all of selection_* falsepositives: - - unknown + - Unknown fields: - ParentProcess - CommandLine diff --git a/rules/windows/builtin/security/win_etw_modification.yml b/rules/windows/builtin/security/win_etw_modification.yml index aaa84638e..d4135914f 100644 --- a/rules/windows/builtin/security/win_etw_modification.yml +++ b/rules/windows/builtin/security/win_etw_modification.yml @@ -26,7 +26,7 @@ detection: NewValue: '0' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/builtin/security/win_hidden_user_creation.yml b/rules/windows/builtin/security/win_hidden_user_creation.yml index 87c55ef85..f85515fad 100644 --- a/rules/windows/builtin/security/win_hidden_user_creation.yml +++ b/rules/windows/builtin/security/win_hidden_user_creation.yml @@ -21,5 +21,5 @@ fields: - EventCode - AccountName falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml index f3ec0d146..cb53ad051 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml @@ -31,5 +31,5 @@ detection: - 'system.io.streamreader' condition: all of selection* falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index 5f127ce93..6b13d185b 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -34,5 +34,5 @@ detection: - '::1' condition: selection and ( sourceRDP or destinationRDP ) falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml index fb811ece0..3b2c04657 100644 --- a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml @@ -29,7 +29,7 @@ detection: AccessMask: 0x10000 condition: selection1 or selection2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml index 7823e7d4c..3c43072d9 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml @@ -8,7 +8,7 @@ modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) falsepositives: - - unknown + - Unknown level: medium logsource: product: windows diff --git a/rules/windows/builtin/system/win_pcap_drivers.yml b/rules/windows/builtin/system/win_pcap_drivers.yml index 49d47422e..cb844e1f3 100644 --- a/rules/windows/builtin/system/win_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_pcap_drivers.yml @@ -32,7 +32,7 @@ fields: - Originating_Computer - ServiceName falsepositives: - - unknown + - Unknown level: medium tags: - attack.discovery diff --git a/rules/windows/builtin/system/win_susp_system_update_error.yml b/rules/windows/builtin/system/win_susp_system_update_error.yml index 8f38e6893..a5ac5e52c 100644 --- a/rules/windows/builtin/system/win_susp_system_update_error.yml +++ b/rules/windows/builtin/system/win_susp_system_update_error.yml @@ -19,7 +19,7 @@ detection: - 217 # Commit Failure: Windows failed to commit the following update with error condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.impact diff --git a/rules/windows/builtin/system/win_tool_psexec.yml b/rules/windows/builtin/system/win_tool_psexec.yml index d54e00e74..42fff945f 100644 --- a/rules/windows/builtin/system/win_tool_psexec.yml +++ b/rules/windows/builtin/system/win_tool_psexec.yml @@ -33,5 +33,5 @@ detection: ServiceName: 'PSEXESVC' condition: service_installation or service_execution falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 1bc41f106..42ab44305 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -30,5 +30,5 @@ tags: - attack.t1059.007 - attack.t1218.005 falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index 02934f765..daf111a32 100644 --- a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -22,6 +22,6 @@ detection: - '0C88' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index dffb1092d..5e02d5760 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -21,7 +21,7 @@ fields: - TargetFilename - Image falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml index 6b396ffe6..0a9ffb60d 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml @@ -31,5 +31,5 @@ fields: - DestinationIp - DestinationPort falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/file_delete/file_delete_win_delete_appli_log.yml b/rules/windows/file_delete/file_delete_win_delete_appli_log.yml index a2f9df494..5266a1518 100644 --- a/rules/windows/file_delete/file_delete_win_delete_appli_log.yml +++ b/rules/windows/file_delete/file_delete_win_delete_appli_log.yml @@ -17,7 +17,7 @@ detection: Image: C:\Windows\system32\svchost.exe condition: selection_teamviewer and not filter falsepositives: - - unknown + - Unknown level: low tags: - attack.defense_evasion diff --git a/rules/windows/file_event/file_event_win_outlook_newform.yml b/rules/windows/file_event/file_event_win_outlook_newform.yml index 0ee7b8be5..223a23d7a 100644 --- a/rules/windows/file_event/file_event_win_outlook_newform.yml +++ b/rules/windows/file_event/file_event_win_outlook_newform.yml @@ -20,5 +20,5 @@ detection: fields: - TargetFilename falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file_event/file_event_win_startup_folder_file_write.yml index ebb332912..98b59bbff 100644 --- a/rules/windows/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file_event/file_event_win_startup_folder_file_write.yml @@ -16,7 +16,7 @@ detection: TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp' condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.persistence diff --git a/rules/windows/file_event/file_event_win_tool_psexec.yml b/rules/windows/file_event/file_event_win_tool_psexec.yml index d4e3d237b..5c75c696d 100644 --- a/rules/windows/file_event/file_event_win_tool_psexec.yml +++ b/rules/windows/file_event/file_event_win_tool_psexec.yml @@ -31,5 +31,5 @@ detection: TargetFilename|endswith: '\PSEXESVC.exe' condition: sysmon_filecreation falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml index 43e503fff..0c6edd8c2 100755 --- a/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -14,7 +14,7 @@ detection: TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.command_and_control diff --git a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml index 3da25ade8..3f7f2eaec 100644 --- a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml @@ -25,7 +25,7 @@ detection: fields: - TargetFilename falsepositives: - - unknown + - Unknown level: critical tags: - attack.resource_development diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index 38f33c4cd..b1e9c1eea 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -31,5 +31,5 @@ detection: - 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' condition: selection_dll and not filter_legit falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml index cdd19b2a0..0b70fe7d7 100755 --- a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml +++ b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml @@ -32,7 +32,7 @@ detection: timeframe: 30s condition: selector | near dllload1 and dllload2 and not exclusion falsepositives: - - unknown + - Unknown level: medium tags: - attack.s0002 diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index f6b55d616..f935150fd 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -21,5 +21,5 @@ detection: Description|contains: 'st2stager' condition: selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/image_load/image_load_susp_advapi32_dll.yml b/rules/windows/image_load/image_load_susp_advapi32_dll.yml index 73745c9d1..4aafc2f71 100644 --- a/rules/windows/image_load/image_load_susp_advapi32_dll.yml +++ b/rules/windows/image_load/image_load_susp_advapi32_dll.yml @@ -27,7 +27,7 @@ detection: Image|endswith: 'FileCoAuth.exe' condition: selection and not 1 of filter_* falsepositives: - - unknown + - Unknown level: informational tags: - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index 7c636c840..fb56bfbfd 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -24,7 +24,7 @@ detection: - '\mscorlib.dll' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml index 4852c145f..866440fb5 100644 --- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ b/rules/windows/image_load/image_load_susp_system_drawing_load.yml @@ -33,5 +33,5 @@ detection: - 'C:\Windows\System32\NhNotifSys.exe' condition: selection and not 1 of filter* falsepositives: - - unknown + - Unknown level: low # too many false positives \ No newline at end of file diff --git a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml index b7b676eaa..55c9d793e 100644 --- a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml +++ b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml @@ -36,5 +36,5 @@ detection: Image|contains: 'c:\windows\' condition: selection and not filter falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml index f414f2148..714194dea 100755 --- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml @@ -90,7 +90,7 @@ detection: - '127.' condition: selection and not 1 of filter* falsepositives: - - unknown + - Unknown level: medium tags: - attack.command_and_control diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index a75bcb51b..e7644ca93 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -28,5 +28,5 @@ detection: - '::1' condition: selection and selection2 falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 6aaf10275..79d24648f 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -23,7 +23,7 @@ fields: - DestinationIp - DestinationPort falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml index e68489a5f..b67b6c071 100644 --- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml @@ -20,7 +20,7 @@ detection: Initiated: 'true' condition: selection and filter falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0c06e08d6..c88027f44 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -30,7 +30,7 @@ detection: - 'C:\Perflogs\' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.command_and_control diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index 421032085..d87a13800 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -32,5 +32,5 @@ detection: PipeName: '\PSEXESVC' condition: sysmon_pipecreated falsepositives: - - unknown + - Unknown level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index bd1a09cbb..23a33a84c 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -23,5 +23,5 @@ detection: - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe condition: selection and not filter falsepositives: - - unknown + - Unknown level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index f5e493c93..1a6851330 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -22,5 +22,5 @@ detection: - 'char' condition: selection and filter falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index 6429b550c..af98c89a7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -23,5 +23,5 @@ detection: Payload|contains: 'Expand-Archive' condition: selection_4103 falsepositives: - - unknown + - Unknown level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 65e817515..bcc8cb36b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -23,5 +23,5 @@ detection: Payload|contains: 'Get-Clipboard' condition: selection_4103 falsepositives: - - unknown + - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index 5bfdf1b38..36fb17672 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -30,5 +30,5 @@ detection: Payload|endswith: 'readtoend' condition: selection_4103 falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml index 7cb894a5b..600e33579 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml @@ -17,7 +17,7 @@ detection: - '\Windows\System32' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml index 01135fb53..e639d7baf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml @@ -22,7 +22,7 @@ detection: ScriptBlockText|contains: '-recurse' condition: selection and recurse falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index ade15a001..e855b695c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -22,7 +22,7 @@ detection: ScriptBlockText|endswith: 'readtoend' condition: selection_4104 falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index b6784c866..3ff340115 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -26,5 +26,5 @@ detection: ScriptBlockText|contains: '-stream' condition: all of selection* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index 07c262c2e..a7e7ea2b5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -20,7 +20,7 @@ detection: - '.RegisterXLL' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index 6eb01be04..bbc104ada 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml index 16124a1d0..23da97199 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml @@ -23,7 +23,7 @@ detection: - DoesNotRequirePreAuth condition: 1 of test_* falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml index 80a725b09..d613d7246 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml @@ -23,7 +23,7 @@ detection: - 'Win32_Group' condition: 1 of test_* falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml index 691fe178d..c5d2142b3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml @@ -19,7 +19,7 @@ detection: - 'System.DirectoryServices.Protocols.LdapConnection' condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml index 1019e8fda..7a45d7ab6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml @@ -21,7 +21,7 @@ detection: - '$' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml index e9c09a8e5..6800f9f92 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains: get-smbshare condition: selection falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml index 7e59e4fb9..e6a124409 100644 --- a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml @@ -18,7 +18,7 @@ detection: - '0x1fffff' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index fb8cad71a..1f7310c25 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -14,7 +14,7 @@ detection: CallTrace|startswith: 'UNKNOWN' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index faf00f958..79a21ccf6 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -21,5 +21,5 @@ detection: CallTrace|contains: 'UNKNOWN' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml index 7d79eb575..3261aca76 100644 --- a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml @@ -17,7 +17,7 @@ detection: - 'UNKNOWN' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml index f3482258d..e288ae455 100644 --- a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml @@ -22,7 +22,7 @@ fields: - TargetImage - CallTrace falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml index 35abd86d3..4d574d34f 100755 --- a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml @@ -24,7 +24,7 @@ detection: CallTrace|contains: '|UNKNOWN' condition: selection and 1 of combination* falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml index 24e602704..5e8487936 100644 --- a/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml @@ -40,7 +40,7 @@ fields: - User - CommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml index b1c55d0e3..73c815892 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml @@ -20,7 +20,7 @@ detection: - '$' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml b/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml index fcc4833e3..de3673e4d 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml @@ -18,7 +18,7 @@ detection: - cmd.exe /c taskkill /im cmd.exe condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml index 8c97666b9..fff99d1d5 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml @@ -28,7 +28,7 @@ detection: - 'c:\users\' condition: selection1 or selection2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml index 15cb6e19e..8b731bfb3 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml @@ -29,5 +29,5 @@ detection: - 'e570585edc69f9074cb5e8a790708336bd45ca0f' condition: legitimate_executable and not legitimate_process_path falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml index eeb3dbded..ce0731a5d 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml @@ -40,5 +40,5 @@ detection: - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: exec_selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml index c7606ca3c..d768afac4 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml @@ -25,7 +25,7 @@ detection: Image: C:\Users\Public\7za.exe condition: selection1 or selection2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml index 6733b9eeb..95d5e2288 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml @@ -38,5 +38,5 @@ detection: - '.db,' condition: ( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 ) falsepositives: - - unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml index e9f887454..de1599d4b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml @@ -21,7 +21,7 @@ detection: - 'C:\Windows\SysWOW64\' condition: selection and not filter falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml b/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml index 9f0add88c..f13454dc1 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_pandemic.yml @@ -22,7 +22,7 @@ detection: CommandLine|contains: 'loaddll -a ' condition: selection falsepositives: - - unknown + - Unknown level: critical fields: - EventID diff --git a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml index 25182ae2a..06040fd9b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml @@ -16,7 +16,7 @@ detection: ParentImage|endswith: '\wmiprvse.exe' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml index 8d361c2c1..7dc95edf6 100644 --- a/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml @@ -22,5 +22,5 @@ detection: - 'reg add' condition: selection_cmdline falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml index 58092c51d..18c8b7390 100644 --- a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml +++ b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml @@ -24,7 +24,7 @@ detection: - '-keepVersions:0' condition: all of wbadmin_* falsepositives: - - unknown + - Unknown level: high tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml index 6abc90c2d..cc35645cb 100644 --- a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml @@ -16,7 +16,7 @@ detection: CurrentDirectory|endswith: '\hxtsr.exe' condition: selection and not filter falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml index e41e4d43e..d186a29de 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml @@ -26,7 +26,7 @@ detection: - '/serverlevelplugindll' condition: dnsadmin falsepositives: - - unknown + - Unknown level: high fields: - EventID diff --git a/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml index 59c1c21d6..6d48a11f0 100644 --- a/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml @@ -21,7 +21,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_encoded_iex.yml b/rules/windows/process_creation/proc_creation_win_encoded_iex.yml index d3c556967..c22669b2e 100644 --- a/rules/windows/process_creation/proc_creation_win_encoded_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_encoded_iex.yml @@ -34,7 +34,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml index 285ede822..f0cc9a06d 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml @@ -30,7 +30,7 @@ detection: - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions' condition: reg and hive falsepositives: - - unknown + - Unknown level: medium tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 16252c8da..4717c23c2 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains: 'COMPlus_ETWEnabled=0' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml index e18716b04..9766f615b 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml @@ -18,7 +18,7 @@ detection: fields: - CommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml b/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml index 7545a1827..77816a02a 100644 --- a/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml @@ -25,5 +25,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml index 9080a46f3..eb1ff5b87 100644 --- a/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml @@ -47,7 +47,7 @@ fields: - ParentProcess - CommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.t1211 diff --git a/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml b/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml index c3cef36b1..1cae4941d 100644 --- a/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml +++ b/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml @@ -17,7 +17,7 @@ detection: IntegrityLevel: 'High' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml b/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml index 6eb7b0667..0c88271df 100644 --- a/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml @@ -26,7 +26,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml index ccd852955..691ababcb 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml @@ -21,7 +21,7 @@ detection: CommandLine|endswith: 'readtoend' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml b/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml index a3ada3325..3070179c1 100644 --- a/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml +++ b/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml @@ -19,5 +19,5 @@ detection: - aspnet_compiler.exe condition: selection falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lobas_bash.yml b/rules/windows/process_creation/proc_creation_win_lobas_bash.yml index ffe5a4f6a..7214f0343 100644 --- a/rules/windows/process_creation/proc_creation_win_lobas_bash.yml +++ b/rules/windows/process_creation/proc_creation_win_lobas_bash.yml @@ -19,5 +19,5 @@ detection: - '-c ' condition: selection falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml b/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml index ed6eef040..9e38bb185 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml @@ -22,5 +22,5 @@ detection: - 'ftp://' condition: lolbas and remote falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml index 9fb92a016..f52cc0c0c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml @@ -20,5 +20,5 @@ detection: - '.cab' condition: lolbas falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml index e37a63a2d..26715115b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml @@ -17,5 +17,5 @@ detection: CommandLine|contains: Extexport.exe condition: lolbas falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml index 681305e2e..2239e1ca9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml @@ -24,5 +24,5 @@ detection: - ' \\' condition: lolbas and options falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml index 57d431986..298fb9aa5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml @@ -20,5 +20,5 @@ detection: CommandLine|re: ':[^\\\\]' condition: lolbas falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml index 9aec80749..7053d03df 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml @@ -18,7 +18,7 @@ detection: CurrentDirectory: null condition: lolbas and not 1 of filter_* falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml index b22fbc7e9..0297a55fc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml @@ -16,7 +16,7 @@ detection: - '/A' condition: lolbas falsepositives: - - unknown + - Unknown level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml index bc46eeccb..2241ded9a 100644 --- a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml +++ b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml @@ -20,7 +20,7 @@ detection: - ' -FilePath \\\\127.0.0.1\\C$' condition: selection falsepositives: - - unknown + - Unknown level: critical fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml b/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml index dc66bb56a..c5ff7aa41 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml @@ -28,5 +28,5 @@ detection: CommandLine|endswith: 'COR_PROFILER' condition: sc_cmd or wmic_cmd falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml index 465d9c9de..2f66c8dc7 100644 --- a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: ' /INJECTRUNNING ' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.t1055.001 diff --git a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index 0adec45fa..b0f591390 100644 --- a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -67,5 +67,5 @@ detection: - '.pl' condition: 1 of selection_cmdline_* falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml index 6a83af5e9..845e0dae1 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml @@ -21,7 +21,7 @@ fields: - User - CommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_office_shell.yml b/rules/windows/process_creation/proc_creation_win_office_shell.yml index c333177bc..a5bb9fa2d 100644 --- a/rules/windows/process_creation/proc_creation_win_office_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_office_shell.yml @@ -47,7 +47,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index c920f4450..cb55b83bf 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -34,5 +34,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_outlook_shell.yml b/rules/windows/process_creation/proc_creation_win_outlook_shell.yml index 71e695cf7..e1f2a1e50 100644 --- a/rules/windows/process_creation/proc_creation_win_outlook_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_outlook_shell.yml @@ -56,7 +56,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_download.yml index f68352373..f9637d41d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download.yml @@ -23,7 +23,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 7b42b8dd9..487acdcbd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -25,7 +25,7 @@ detection: - C:\Program Files\Amazon\SSM\ssm-document-worker.exe condition: selection and filter and not false_positives falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 54f58c18f..c17fe5de4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -23,7 +23,7 @@ detection: - '/d ' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_run_from_zip.yml b/rules/windows/process_creation/proc_creation_win_run_from_zip.yml index e7fc41db3..cca0a3e26 100644 --- a/rules/windows/process_creation/proc_creation_win_run_from_zip.yml +++ b/rules/windows/process_creation/proc_creation_win_run_from_zip.yml @@ -14,7 +14,7 @@ detection: Image|contains: '.zip\' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml index ddcae5ee2..120e7670a 100644 --- a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml @@ -34,5 +34,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml index dcba32e7e..8606c0e42 100644 --- a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml @@ -16,7 +16,7 @@ detection: ParentImage|endswith: '\sdclt.exe' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml b/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml index bc5d7d4b2..8cb212b0f 100644 --- a/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml @@ -18,5 +18,5 @@ detection: Description|contains: 'st2stager' condition: selection falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml index 22257a097..22466e28f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml @@ -19,7 +19,7 @@ detection: - '-encode' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml index 791898f77..75a8be92a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml @@ -23,7 +23,7 @@ detection: - '¶' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml index 15c5bdfad..0c0d63abc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: ' /w:' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.impact diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml index 2bd94ad65..829567483 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml @@ -25,5 +25,5 @@ detection: - '/lan ' condition: cmdl32 and options falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml b/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml index 6aefefbfe..e82b89a35 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml @@ -27,7 +27,7 @@ detection: ParentImage|startswith: 'C:\Program' condition: selection and not falsepositive falsepositives: - - unknown + - Unknown level: high tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml index 9a74827f3..df08b20f3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml @@ -26,7 +26,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_del.yml b/rules/windows/process_creation/proc_creation_win_susp_del.yml index 7ca3e7950..c065e0976 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_del.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_del.yml @@ -25,5 +25,5 @@ detection: condition: susp_del_exe or susp_del_dll #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_dir.yml index 124c6e4e7..5d9e52657 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dir.yml @@ -17,7 +17,7 @@ detection: - ' /b' condition: dir falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml index 27e7abff3..757f5db20 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml @@ -20,7 +20,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_format.yml b/rules/windows/process_creation/proc_creation_win_susp_format.yml index 8ac166b9a..bf7f5f1a3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_format.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_format.yml @@ -25,5 +25,5 @@ detection: - '/fs:ReFS' condition: selection and not 1 of filter* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index bcdd3e29e..05d19eed8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -30,5 +30,5 @@ detection: - 'MemCompression' condition: not image_absolute_path and not 1 of filter* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml b/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml index b4ee08af1..279ff01f6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml @@ -24,7 +24,7 @@ detection: - ' sessions ' condition: netstat or (net_cmd and net_opt) falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 7e864aaee..4489c65b7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -78,6 +78,6 @@ detection: - '.rbs' condition: not known_image_extension and not 1 of filter* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_outlook.yml b/rules/windows/process_creation/proc_creation_win_susp_outlook.yml index 55ef07833..0dc795a59 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_outlook.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_outlook.yml @@ -22,7 +22,7 @@ detection: - '.exe' condition: clientMailRules or outlookExec falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml index eab62357c..459111265 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml @@ -21,7 +21,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml index 5894d957c..040477109 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml @@ -17,5 +17,5 @@ detection: - '> \\\\localhost\\admin$' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml index 5949587fa..39795b0cd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml @@ -32,5 +32,5 @@ detection: - 'RecoveryKeyMessage' condition: set and key falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml index d189fee78..d5231b3d5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml @@ -31,7 +31,7 @@ detection: - 'hkcu\software\classes\ms-settings' condition: 1 of selection_* falsepositives: - - unknown + - Unknown level: medium tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml index 4f232b8ce..28d587b80 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml @@ -19,5 +19,5 @@ detection: CommandLine|endswith: '.jpg' # can add other condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml index a9103c537..df1dbfa8e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml @@ -22,7 +22,7 @@ detection: - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' condition: image and not filter_parent falsepositives: - - unknown + - Unknown level: low tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index 05d55fb8d..3c704f06d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -22,6 +22,6 @@ detection: - ';document.write();GetObject("script' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml b/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml index 7921b4eaf..8c7395284 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml @@ -14,7 +14,7 @@ detection: CommandLine|contains: 'sc query' condition: sc_query falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml index c0273b06d..64c8fe044 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml @@ -26,5 +26,5 @@ detection: - '\klcp_update_task.xml' condition: schtasks and option and not 1 of filter_* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml index f9f4422d2..a9735d53f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml @@ -40,5 +40,5 @@ detection: - '\AppVLP.exe' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml index 68666a91e..bbaf07923 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml @@ -33,7 +33,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml index dad55bb72..4149781b4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' condition: selection falsepositives: - - unknown + - Unknown level: medium tags: - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml index e197ac668..e35eaa87e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml @@ -21,7 +21,7 @@ detection: - 'places.sqlite' condition: all of where_* falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml b/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml index 427cf76ea..767cc0e02 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml @@ -29,5 +29,5 @@ detection: - '.zip' condition: run or delete falsepositives: - - unknown + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml index a64b4b6ef..9723e3670 100644 --- a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml @@ -18,7 +18,7 @@ detection: CommandLine|contains: ' group' condition: test_5 falsepositives: - - unknown + - Unknown level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml index 8ccb98db3..32e4c292e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml @@ -29,5 +29,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml index a6e7c236e..d8e539dc6 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml @@ -32,5 +32,5 @@ detection: User|startswith: 'NT AUTHORITY\SYSTEM' condition: sysmon_processcreation falsepositives: - - unknown + - Unknown level: low \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml index e9a92cdbb..9daf1df83 100644 --- a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml +++ b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains: '-u' condition: sysmon falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml index 883c3fc7f..4b7cf1ccc 100644 --- a/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml @@ -25,7 +25,7 @@ fields: - TargetFilename - Image falsepositives: - - unknown + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index ea60a52bd..aacaaae88 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -19,7 +19,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: medium tags: - attack.t1203 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index fea0fc749..02d01a599 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -67,5 +67,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml index 6ae3785b5..e8e0774a2 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml @@ -34,7 +34,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - unknown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry_event/registry_event_add_local_hidden_user.yml index 08b8f9352..08097055a 100644 --- a/rules/windows/registry_event/registry_event_add_local_hidden_user.yml +++ b/rules/windows/registry_event/registry_event_add_local_hidden_user.yml @@ -20,5 +20,5 @@ detection: Image|endswith: 'lsass.exe' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry_event/registry_event_apt_pandemic.yml index eef303ef2..ae48ef5e2 100755 --- a/rules/windows/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry_event/registry_event_apt_pandemic.yml @@ -19,7 +19,7 @@ detection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: selection falsepositives: - - unknown + - Unknown level: critical fields: - EventID diff --git a/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml index f4037542f..08c3f7ea2 100644 --- a/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry_event/registry_event_bypass_via_wsreset.yml @@ -22,7 +22,7 @@ fields: - EventType - TargetObject falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml b/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml index 9d7818cbf..e21e4b644 100644 --- a/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml +++ b/rules/windows/registry_event/registry_event_cobaltstrike_service_installs.yml @@ -33,5 +33,5 @@ detection: - 'powershell' condition: selection1 and (selection2 or selection3) falsepositives: - - unknown + - Unknown level: critical \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_comhijack_sdclt.yml b/rules/windows/registry_event/registry_event_comhijack_sdclt.yml index 4f4bcdb13..96217d7a8 100644 --- a/rules/windows/registry_event/registry_event_comhijack_sdclt.yml +++ b/rules/windows/registry_event/registry_event_comhijack_sdclt.yml @@ -17,7 +17,7 @@ detection: - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.privilege_escalation diff --git a/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml b/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml index 99fb16bc1..1ad7fb060 100755 --- a/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml @@ -19,7 +19,7 @@ detection: - '\Services\DHCPServer\Parameters\CalloutEnabled' condition: selection falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml b/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml index bbf21c9fc..7cacb2c85 100644 --- a/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml +++ b/rules/windows/registry_event/registry_event_disable_microsoft_office_security_features.yml @@ -33,5 +33,5 @@ detection: Details: 'DWORD (0x00000001)' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml index 938a1f7c1..20f2abd92 100755 --- a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -20,7 +20,7 @@ detection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: dnsregmod falsepositives: - - unknown + - Unknown level: high fields: - EventID diff --git a/rules/windows/registry_event/registry_event_etw_disabled.yml b/rules/windows/registry_event/registry_event_etw_disabled.yml index 5253af2c4..a28b1099b 100644 --- a/rules/windows/registry_event/registry_event_etw_disabled.yml +++ b/rules/windows/registry_event/registry_event_etw_disabled.yml @@ -25,7 +25,7 @@ detection: Details: 'DWORD (0x00000000)' condition: selection falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry_event/registry_event_mal_azorult.yml index 8825a00e7..6762965f6 100644 --- a/rules/windows/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry_event/registry_event_mal_azorult.yml @@ -23,7 +23,7 @@ fields: - TargetObject - TargetDetails falsepositives: - - unknown + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml b/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml index ba78af086..1544a4286 100644 --- a/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml +++ b/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml @@ -22,5 +22,5 @@ detection: TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' condition: mod_reg falsepositives: - - unknown + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml index 25b700088..096469ad9 100644 --- a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml +++ b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml @@ -23,5 +23,5 @@ detection: TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml index fb729a92c..73d893dda 100755 --- a/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/registry_event_narrator_feedback_persistance.yml @@ -18,7 +18,7 @@ detection: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml index 8513edd9e..a98f749d3 100644 --- a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml @@ -33,5 +33,5 @@ detection: fields: - Details falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_outlook_registry_webview.yml b/rules/windows/registry_event/registry_event_outlook_registry_webview.yml index b52181a52..64ded1cfb 100644 --- a/rules/windows/registry_event/registry_event_outlook_registry_webview.yml +++ b/rules/windows/registry_event/registry_event_outlook_registry_webview.yml @@ -28,5 +28,5 @@ detection: fields: - Details falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_persistence.yml b/rules/windows/registry_event/registry_event_persistence.yml index 2014a9f78..7af6f2753 100755 --- a/rules/windows/registry_event/registry_event_persistence.yml +++ b/rules/windows/registry_event/registry_event_persistence.yml @@ -26,7 +26,7 @@ detection: - '\MonitorProcess' condition: selection_reg1 and selection_reg2 falsepositives: - - unknown + - Unknown level: critical tags: - attack.privilege_escalation diff --git a/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml index f9cd9cabf..02885d46f 100644 --- a/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry_event/registry_event_persistence_recycle_bin.yml @@ -21,5 +21,5 @@ tags: - attack.persistence - attack.t1547 falsepositives: - - unknown + - Unknown level: critical diff --git a/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml b/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml index 20ff152cb..ff45084c2 100755 --- a/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml +++ b/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml @@ -23,7 +23,7 @@ detection: - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' condition: selection_reg falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml b/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml index 9428a3d39..bc18c0460 100644 --- a/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml +++ b/rules/windows/registry_event/registry_event_removal_amsi_registry_key.yml @@ -22,5 +22,5 @@ detection: - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml index c28567261..2e70fd9fc 100644 --- a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml @@ -32,7 +32,7 @@ detection: TargetObject|startswith: 'HKCR\Dropbox.' condition: selection and not 1 of filter_* falsepositives: - - unknown + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml index ea6a92f21..fa92b605d 100644 --- a/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml @@ -19,5 +19,5 @@ detection: TargetObject|contains: '\Software\Sysinternals\SDelete' condition: selection falsepositives: - - unknown + - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_telemetry_persistence.yml b/rules/windows/registry_event/registry_event_telemetry_persistence.yml index 8f438c6a1..3aa1029b3 100644 --- a/rules/windows/registry_event/registry_event_telemetry_persistence.yml +++ b/rules/windows/registry_event/registry_event_telemetry_persistence.yml @@ -24,7 +24,7 @@ detection: - '\system32\DeviceCensus.exe' condition: selection and not filter falsepositives: - - unknown + - Unknown level: critical tags: - attack.persistence diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml index bb1ad8524..137219d47 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -17,7 +17,7 @@ detection: TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry falsepositives: - - unknown + - Unknown level: critical tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml b/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml index cbb40e35c..01bc5c6c6 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml @@ -20,7 +20,7 @@ detection: Details|contains: '-1???\Software\Classes\' condition: 1 of selection* falsepositives: - - unknown + - Unknown level: high tags: - attack.defense_evasion From 45851333250d5dabadfd511776db27821765dacf Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 16 Mar 2022 13:51:26 +0100 Subject: [PATCH 2/7] fix: remove penetration testing as a valid false positive --- rules-unsupported/win_mal_service_installs.yml | 2 +- rules/application/django/appframework_django_exceptions.yml | 1 - rules/application/python/app_python_sql_exceptions.yml | 1 - .../application/ruby/appframework_ruby_on_rails_exceptions.yml | 1 - rules/application/spring/appframework_spring_exceptions.yml | 1 - rules/generic/generic_brute_force.yml | 1 - rules/network/net_susp_network_scan_by_ip.yml | 1 - rules/network/net_susp_network_scan_by_port.yml | 1 - rules/web/web_cve_2010_5278_exploitation_attempt.yml | 1 - rules/web/web_path_traversal_exploitation_attempt.yml | 1 - rules/windows/builtin/security/win_mal_wceaux_dll.yml | 2 +- .../builtin/security/win_security_mal_service_installs.yml | 2 +- rules/windows/builtin/system/win_susp_sam_dump.yml | 2 +- .../powershell_script/posh_ps_azurehound_commands.yml | 2 +- .../powershell_script/posh_ps_malicious_commandlets.yml | 2 +- .../posh_ps_nishang_malicious_commandlets.yml | 2 +- ...ation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml | 3 +-- ...tion_win_lolbins_suspicious_driver_installed_by_pnputil.yml | 3 +-- 18 files changed, 9 insertions(+), 20 deletions(-) diff --git a/rules-unsupported/win_mal_service_installs.yml b/rules-unsupported/win_mal_service_installs.yml index 7e53f75b2..9f61bfc9c 100644 --- a/rules-unsupported/win_mal_service_installs.yml +++ b/rules-unsupported/win_mal_service_installs.yml @@ -33,6 +33,6 @@ detection: ServiceName: 'Java(TM) Virtual Machine Support Service' condition: selection and 1 of malsvc_* falsepositives: - - Penetration testing + - Unknown level: critical status: unsupported \ No newline at end of file diff --git a/rules/application/django/appframework_django_exceptions.yml b/rules/application/django/appframework_django_exceptions.yml index bedcfb1d6..233cc72d6 100644 --- a/rules/application/django/appframework_django_exceptions.yml +++ b/rules/application/django/appframework_django_exceptions.yml @@ -30,7 +30,6 @@ detection: condition: keywords falsepositives: - Application bugs - - Penetration testing level: medium tags: - attack.initial_access diff --git a/rules/application/python/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml index c69a917af..bb06459da 100644 --- a/rules/application/python/app_python_sql_exceptions.yml +++ b/rules/application/python/app_python_sql_exceptions.yml @@ -19,7 +19,6 @@ detection: condition: exceptions falsepositives: - Application bugs - - Penetration testing level: medium tags: - attack.initial_access diff --git a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml index 45682035c..2a058bb7c 100644 --- a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml @@ -23,7 +23,6 @@ detection: condition: keywords falsepositives: - Application bugs - - Penetration testing level: medium tags: - attack.initial_access diff --git a/rules/application/spring/appframework_spring_exceptions.yml b/rules/application/spring/appframework_spring_exceptions.yml index df34f0402..fe97e056c 100644 --- a/rules/application/spring/appframework_spring_exceptions.yml +++ b/rules/application/spring/appframework_spring_exceptions.yml @@ -22,7 +22,6 @@ detection: condition: keywords falsepositives: - Application bugs - - Penetration testing level: medium tags: - attack.initial_access diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml index 47b45e159..1deec3354 100644 --- a/rules/generic/generic_brute_force.yml +++ b/rules/generic/generic_brute_force.yml @@ -18,7 +18,6 @@ fields: - user falsepositives: - Inventarization - - Penetration testing - Vulnerability scanner - Legitimate application level: medium diff --git a/rules/network/net_susp_network_scan_by_ip.yml b/rules/network/net_susp_network_scan_by_ip.yml index ab443fc66..86f3d9b20 100644 --- a/rules/network/net_susp_network_scan_by_ip.yml +++ b/rules/network/net_susp_network_scan_by_ip.yml @@ -19,7 +19,6 @@ fields: falsepositives: - Inventarization systems - Vulnerability scans - - Penetration testing activity level: medium tags: - attack.discovery diff --git a/rules/network/net_susp_network_scan_by_port.yml b/rules/network/net_susp_network_scan_by_port.yml index e3cc1f862..8037e1b0a 100644 --- a/rules/network/net_susp_network_scan_by_port.yml +++ b/rules/network/net_susp_network_scan_by_port.yml @@ -18,7 +18,6 @@ detection: falsepositives: - Inventarization systems - Vulnerability scans - - Penetration testing activity level: medium fields: - src_ip diff --git a/rules/web/web_cve_2010_5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml index 9c1cd0f55..368ddf6ec 100644 --- a/rules/web/web_cve_2010_5278_exploitation_attempt.yml +++ b/rules/web/web_cve_2010_5278_exploitation_attempt.yml @@ -18,7 +18,6 @@ detection: condition: selection falsepositives: - Scanning from Nuclei - - Penetration Testing Activity - Unknown tags: - attack.initial_access diff --git a/rules/web/web_path_traversal_exploitation_attempt.yml b/rules/web/web_path_traversal_exploitation_attempt.yml index 498eb27da..5eeeed755 100644 --- a/rules/web/web_path_traversal_exploitation_attempt.yml +++ b/rules/web/web_path_traversal_exploitation_attempt.yml @@ -17,7 +17,6 @@ detection: condition: selection falsepositives: - Happens all the time on systems exposed to the Internet - - Penetration testing activity on internal systems - Internal vulnerability scanners tags: - attack.initial_access diff --git a/rules/windows/builtin/security/win_mal_wceaux_dll.yml b/rules/windows/builtin/security/win_mal_wceaux_dll.yml index d88704d0f..7ebec9faa 100644 --- a/rules/windows/builtin/security/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/security/win_mal_wceaux_dll.yml @@ -21,7 +21,7 @@ detection: ObjectName|endswith: '\wceaux.dll' condition: selection falsepositives: - - Penetration testing + - Unknown level: critical tags: - attack.credential_access diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml index b3b0a67c2..e1025f86f 100644 --- a/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -29,5 +29,5 @@ detection: ServiceName: 'javamtsup' condition: selection and 1 of malsvc_* falsepositives: - - Penetration testing + - Unknown level: critical \ No newline at end of file diff --git a/rules/windows/builtin/system/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_susp_sam_dump.yml index 15cb35d23..03e8fb6e9 100644 --- a/rules/windows/builtin/system/win_susp_sam_dump.yml +++ b/rules/windows/builtin/system/win_susp_sam_dump.yml @@ -17,7 +17,7 @@ detection: - '.dmp' condition: selection and all of keywords falsepositives: - - Penetration testing + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml index 6adae36db..b490bffdb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml @@ -26,5 +26,5 @@ tags: - attack.t1069.002 - attack.t1069 falsepositives: - - Penetration testing + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 937652d74..b45c6ed55 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -118,5 +118,5 @@ detection: - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 condition: select_Malicious and not false_positives falsepositives: - - Penetration testing + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index f107fce3f..619d40b01 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -90,5 +90,5 @@ detection: - FakeDC condition: Nishang falsepositives: - - Penetration testing + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml index ea11ff858..673b9d38d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -29,8 +29,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - DataSvcUtil.exe being used may be performed by a system administrator. + - DataSvcUtil.exe being used may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - - Penetration Testing level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml index 67dc8ab32..7e08a32ab 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -31,8 +31,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Pnputil.exe being used may be performed by a system administrator. + - Pnputil.exe being used may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - - Penetration Testing level: medium From 9b82e099a3e97109a85fb441c027b8353e20e87c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 16 Mar 2022 14:16:10 +0100 Subject: [PATCH 3/7] fix: unlikely --> Unlikely --- .../win_exchange_proxyshell_certificate_generation.yml | 2 +- .../msexchange/win_exchange_proxyshell_mailbox_export.yml | 2 +- rules/windows/builtin/system/win_apt_turla_service_png.yml | 2 +- rules/windows/builtin/windefend/win_defender_amsi_trigger.yml | 2 +- rules/windows/builtin/windefend/win_defender_threat.yml | 2 +- .../windows/process_creation/proc_creation_win_hack_adcspwn.yml | 2 +- .../windows/process_creation/proc_creation_win_hack_rubeus.yml | 2 +- .../process_creation/proc_creation_win_hack_secutyxploded.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml index 003bdd72b..99a01f570 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml @@ -22,7 +22,7 @@ detection: - '.aspx' condition: all of export_command and export_params falsepositives: - - unlikely + - Unlikely level: critical tags: - attack.persistence diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 19b350b08..4155f0add 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -24,7 +24,7 @@ detection: - ' -User ' condition: (all of export_command and export_params) or all of role_assignment falsepositives: - - unlikely + - Unlikely level: critical tags: - attack.persistence diff --git a/rules/windows/builtin/system/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_apt_turla_service_png.yml index 1552f94a4..140ba8bb3 100644 --- a/rules/windows/builtin/system/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/system/win_apt_turla_service_png.yml @@ -17,7 +17,7 @@ detection: ServiceName: 'WerFaultSvc' condition: selection falsepositives: - - unlikely + - Unlikely level: critical tags: - attack.persistence diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 7dadd113e..3bb8f4418 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -16,7 +16,7 @@ detection: Source_Name: 'AMSI' condition: selection falsepositives: - - unlikely + - Unlikely level: high tags: - attack.execution diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index 76413e119..00e059bd7 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -18,7 +18,7 @@ detection: - 1117 condition: selection falsepositives: - - unlikely + - Unlikely level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml b/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml index a5667baf1..2eee3f156 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml @@ -19,5 +19,5 @@ detection: - ' --port ' condition: selection falsepositives: - - unlikely + - Unlikely level: critical diff --git a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml index 318d71c80..fc74430b8 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml @@ -27,7 +27,7 @@ detection: - ' hash /password:' condition: selection falsepositives: - - unlikely + - Unlikely level: critical tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml b/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml index 269387b78..321cb3f43 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml @@ -23,5 +23,5 @@ detection: OriginalFileName|endswith: 'PasswordDump.exe' condition: 1 of selection* falsepositives: - - unlikely + - Unlikely level: critical From 8d3f8acb60450261f8c56e2941547c25f8153bf0 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 16 Mar 2022 14:19:21 +0100 Subject: [PATCH 4/7] fix: none --> Unknown --- rules/linux/auditd/lnx_auditd_audio_capture.yml | 2 +- rules/linux/auditd/lnx_auditd_capabilities_discovery.yml | 2 +- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 2 +- .../auditd/lnx_auditd_hidden_zip_files_steganography.yml | 2 +- .../linux/auditd/lnx_auditd_steghide_embed_steganography.yml | 2 +- .../auditd/lnx_auditd_steghide_extract_steganography.yml | 2 +- .../lnx_auditd_unzip_hidden_zip_files_steganography.yml | 2 +- rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 2 +- rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml | 2 +- rules/web/web_cve_2021_26814_wzuh_rce.yml | 2 +- rules/windows/builtin/system/win_moriya_rootkit.yml | 2 +- rules/windows/file_event/file_event_win_moriya_rootkit.yml | 2 +- .../net_connection_win_notepad_network_connection.yml | 2 +- ...creation_win_abusing_windows_telemetry_for_persistence.yml | 2 +- .../process_creation/proc_creation_win_apt_dragonfly.yml | 2 +- .../proc_creation_win_monitoring_for_persistence_via_bits.yml | 2 +- .../proc_creation_win_susp_spoolsv_child_processes.yml | 2 +- .../proc_creation_win_write_protect_for_storage_disabled.yml | 4 ++-- ...gistry_event_abusing_windows_telemetry_for_persistence.yml | 2 +- 19 files changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml index 42246e7a6..fff85facd 100644 --- a/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -26,5 +26,5 @@ tags: - attack.collection - attack.t1123 falsepositives: - - None + - Unknown level: low diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index 9bb7e098a..3010d07c2 100644 --- a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -25,5 +25,5 @@ tags: - attack.t1123 - attack.t1548 falsepositives: - - None + - Unknown level: low \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index 629d40c9d..7fb50240a 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -29,5 +29,5 @@ tags: - attack.defense_evasion - attack.t1564.001 falsepositives: - - None + - Unknown level: low diff --git a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml index 4fa1edb4c..673a4608f 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion - attack.t1027.003 falsepositives: - - None + - Unknown level: low logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml index 584003dcc..b50ed1d29 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion - attack.t1027.003 falsepositives: - - None + - Unknown level: low logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml index 87fe4c423..f83cb4c66 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion - attack.t1027.003 falsepositives: - - None + - Unknown level: low logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml index ee5b62e6d..08684b463 100644 --- a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion - attack.t1027.003 falsepositives: - - None + - Unknown level: low logsource: product: linux diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index c637031d1..2178cd31e 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -22,5 +22,5 @@ fields: - certificate.subject - certificate.issuer falsepositives: - - none + - Unknown level: high diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index d0cbe57b7..9e1818b39 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -22,7 +22,7 @@ fields: - c-ip - c-dns falsepositives: - - None + - Unknown level: high tags: - attack.initial_access diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml index 0fba39bfa..c40bd1505 100644 --- a/rules/web/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -16,7 +16,7 @@ fields: - c-ip - c-dns falsepositives: - - None + - Unknown level: high tags: - attack.initial_access diff --git a/rules/windows/builtin/system/win_moriya_rootkit.yml b/rules/windows/builtin/system/win_moriya_rootkit.yml index f92fe4eeb..d0ac46774 100644 --- a/rules/windows/builtin/system/win_moriya_rootkit.yml +++ b/rules/windows/builtin/system/win_moriya_rootkit.yml @@ -22,4 +22,4 @@ detection: condition: selection level: critical falsepositives: - - None \ No newline at end of file + - Unknown \ No newline at end of file diff --git a/rules/windows/file_event/file_event_win_moriya_rootkit.yml b/rules/windows/file_event/file_event_win_moriya_rootkit.yml index 2383f3a82..47213161f 100644 --- a/rules/windows/file_event/file_event_win_moriya_rootkit.yml +++ b/rules/windows/file_event/file_event_win_moriya_rootkit.yml @@ -23,4 +23,4 @@ detection: condition: selection level: critical falsepositives: - - None \ No newline at end of file + - Unknown \ No newline at end of file diff --git a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml index dceaca53d..b2a186714 100755 --- a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml @@ -18,7 +18,7 @@ detection: DestinationPort: '9100' condition: selection and not filter falsepositives: - - None observed so far + - Unknown level: high tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml index a9af4e4d3..817143908 100644 --- a/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml @@ -27,5 +27,5 @@ detection: - '\Application Experience\Microsoft Compatibility Appraiser' condition: selection falsepositives: - - none + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml b/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml index 4131df7e4..0fac43cee 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml @@ -17,7 +17,7 @@ detection: - '\crackmapexec.exe' condition: selection falsepositives: - - None + - Unknown level: critical tags: - attack.g0035 diff --git a/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml b/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml index e8a4fbe36..633f97bac 100644 --- a/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml +++ b/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml @@ -32,7 +32,7 @@ detection: - 'ftps:' condition: 1 of selection_* falsepositives: - - None observed yet. + - Unknown fields: - CommandLine level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml index 1029690e0..92940d98f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml @@ -76,5 +76,5 @@ fields: - Image - CommandLine falsepositives: - - None known + - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml index 163e8d4f2..c9fe66af5 100644 --- a/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml @@ -15,12 +15,12 @@ detection: - 'hklm\system\currentcontrolset\control' - 'write protection' - '0' - CommandLine|contains: + CommandLine|contains: - 'storage' - 'storagedevicepolicies' condition: selection falsepositives: - - none observed + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index bfdd0738b..282552a87 100644 --- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -40,5 +40,5 @@ detection: - .vbs condition: selection falsepositives: - - none + - Unknown level: high \ No newline at end of file From 84d0c472ba8a0187a95a4948917b9eac2667ce74 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 16 Mar 2022 14:23:48 +0100 Subject: [PATCH 5/7] fix: remove penetration test as valid false positive reason --- ...i_spawned_cmd_and_powershell_spawned_processes.yml | 2 +- ...lways_install_elevated_parent_child_correlated.yml | 11 +++++------ .../zeek_smb_converted_win_impacket_secretdump.yml | 2 +- rules/web/web_cve_2021_22005_vmware_file_upload.yml | 2 +- .../web_cve_2021_22893_pulse_secure_rce_exploit.yml | 2 +- ..._2021_40539_manageengine_adselfservice_exploit.yml | 2 +- rules/web/web_cve_2021_42237_sitecore_report_ashx.yml | 2 +- ...rtificate_template_configuration_vulnerability.yml | 1 - ...icate_template_configuration_vulnerability_eku.yml | 1 - rules/windows/builtin/security/win_atsvc_task.yml | 2 +- .../builtin/security/win_impacket_secretdump.yml | 4 ++-- .../builtin/security/win_lateral_movement_condrv.yml | 3 +-- rules/windows/builtin/security/win_pass_the_hash.yml | 1 - .../windows/builtin/security/win_pass_the_hash_2.yml | 1 - .../builtin/security/win_susp_net_recon_activity.yml | 1 - .../builtin/security/win_svcctl_remote_service.yml | 2 +- rules/windows/builtin/system/win_hack_smbexec.yml | 1 - rules/windows/builtin/win_alert_mimikatz_keywords.yml | 1 - .../powershell_suspicious_invocation_generic.yml | 1 - .../powershell_suspicious_invocation_specific.yml | 2 +- .../file_event_win_detect_powerup_dllhijacking.yml | 1 - .../file_event_win_powershell_exploit_scripts.yml | 2 +- .../image_load_suspicious_dbghelp_dbgcore_load.yml | 6 +++--- .../image_load_svchost_dll_search_order_hijack.yml | 2 +- .../image_load/image_load_uac_bypass_via_dism.yml | 1 - .../powershell_classic/posh_pc_downgrade_attack.yml | 1 - .../powershell_classic/posh_pc_exe_calling_ps.yml | 1 - .../posh_pm_suspicious_invocation_generic.yml | 1 - .../posh_pm_suspicious_invocation_specific.yml | 4 ++-- .../powershell_script/posh_ps_malicious_keywords.yml | 2 +- .../powershell/powershell_script/posh_ps_psattack.yml | 2 +- .../posh_ps_suspicious_invocation_generic.yml | 1 - .../posh_ps_suspicious_invocation_specific.yml | 2 +- .../powershell_script/posh_ps_suspicious_keywords.yml | 2 +- ...tion_win_accesschk_usage_after_priv_escalation.yml | 1 - ...ys_install_elevated_msi_spawned_cmd_powershell.yml | 2 +- ..._win_always_install_elevated_windows_installer.yml | 1 - .../process_creation/proc_creation_win_dotnet.yml | 1 - .../proc_creation_win_hack_koadic.yml | 2 +- .../proc_creation_win_impacket_lateralization.yml | 2 +- ...roc_creation_win_install_reg_debugger_backdoor.yml | 2 +- ..._win_logon_scripts_userinitmprlogonscript_proc.yml | 5 ++--- .../process_creation/proc_creation_win_msdeploy.yml | 1 - .../proc_creation_win_powershell_downgrade_attack.yml | 1 - ..._win_powershell_suspicious_parameter_variation.yml | 2 +- .../proc_creation_win_renamed_jusched.yml | 2 +- ...oc_creation_win_susp_powershell_hidden_b64_cmd.yml | 2 +- .../proc_creation_win_susp_recon_activity.yml | 1 - .../proc_creation_win_susp_sharpview.yml | 2 +- ...event_logon_scripts_userinitmprlogonscript_reg.yml | 3 +-- 50 files changed, 39 insertions(+), 63 deletions(-) diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 2a8e7c073..4e0c0e2e3 100644 --- a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -30,7 +30,7 @@ fields: - ParentImage - ParentOfParentImage falsepositives: - - Penetration test + - Unknown level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml index 955ce84cb..11958e394 100644 --- a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml +++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml @@ -1,12 +1,12 @@ title: Always Install Elevated Parent Child Correlated id: 078235c5-6ec5-48e7-94b2-f8b5474379ea -description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege +description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege #look for MSI start by low privilege user, write the process guid to the suspicious_guid variable #look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 -references: +references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg tags: - attack.privilege_escalation @@ -20,14 +20,14 @@ detection: system_user: User: 'NT AUTHORITY\SYSTEM' image_1: - Image|contains|all: + Image|contains|all: - '\Windows\Installer\' - 'msi' - Image|endswith: + Image|endswith: - 'tmp' image_2: Image|endswith: '\msiexec.exe' - child_of_suspicious_guid: + child_of_suspicious_guid: ParentProcessGuid: '%suspicious_guid%' condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert fields: @@ -38,5 +38,4 @@ fields: - ParentProcessGuid falsepositives: - System administrator usage - - Penetration test level: high \ No newline at end of file diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index f0b7975ae..da432c695 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -19,7 +19,7 @@ detection: name|endswith: '.tmp' condition: selection falsepositives: - - 'unknown' + - Unknown level: high tags: - attack.credential_access diff --git a/rules/web/web_cve_2021_22005_vmware_file_upload.yml b/rules/web/web_cve_2021_22005_vmware_file_upload.yml index c57ca2669..08bfa355a 100644 --- a/rules/web/web_cve_2021_22005_vmware_file_upload.yml +++ b/rules/web/web_cve_2021_22005_vmware_file_upload.yml @@ -18,5 +18,5 @@ detection: c-uri|contains: '/analytics/telemetry/ph/api/hyper/send?' condition: selection falsepositives: - - Vulnerability Scanning/Pentesting + - Vulnerability Scanning level: high diff --git a/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml b/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml index ed2adbaae..06da48fa3 100644 --- a/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml +++ b/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml @@ -30,5 +30,5 @@ detection: - 'metric' condition: selection1 and selection2 falsepositives: - - Vulnerability Scanning/Pentesting + - Vulnerability Scanning level: high diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml index 875403e8b..52ddd3d5b 100644 --- a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml +++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -29,5 +29,5 @@ fields: - c-ip - c-uri falsepositives: - - External Pentesting + - Unknown level: critical diff --git a/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml b/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml index d79c84d00..a769abe10 100644 --- a/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml +++ b/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml @@ -19,5 +19,5 @@ detection: sc-status: 200 condition: selection falsepositives: - - Vulnerability Scanning/Pentesting + - Vulnerability Scanning level: high diff --git a/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml index 507b3f1b8..e0ebcca25 100644 --- a/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml +++ b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml @@ -23,7 +23,6 @@ detection: condition: selection1 or selection2 falsepositives: - Administrator activity - - Penetration tests - Proxy SSL certificate with subject modification - Smart card enrollement level: low diff --git a/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml index b390c1a8d..934457f17 100644 --- a/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml +++ b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml @@ -37,7 +37,6 @@ detection: condition: (selection10 and selection11) or (selection20 and selection21) falsepositives: - Administrator activity - - Penetration tests - Proxy SSL certificate with subject modification - Smart card enrollement level: high diff --git a/rules/windows/builtin/security/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml index f45c6c860..fb4373ec1 100644 --- a/rules/windows/builtin/security/win_atsvc_task.yml +++ b/rules/windows/builtin/security/win_atsvc_task.yml @@ -19,7 +19,7 @@ detection: Accesses|contains: 'WriteData' condition: selection falsepositives: - - pentesting + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/windows/builtin/security/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml index 312355ab0..f6941ccd2 100644 --- a/rules/windows/builtin/security/win_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_impacket_secretdump.yml @@ -20,10 +20,10 @@ detection: selection: EventID: 5145 ShareName: \\\*\ADMIN$ - RelativeTargetName|contains|all: + RelativeTargetName|contains|all: - 'SYSTEM32\' - '.tmp' condition: selection falsepositives: - - pentesting + - Unknown level: high diff --git a/rules/windows/builtin/security/win_lateral_movement_condrv.yml b/rules/windows/builtin/security/win_lateral_movement_condrv.yml index 6ce24da96..faf084994 100644 --- a/rules/windows/builtin/security/win_lateral_movement_condrv.yml +++ b/rules/windows/builtin/security/win_lateral_movement_condrv.yml @@ -11,7 +11,7 @@ references: tags: - attack.lateral_movement - attack.execution - - attack.t1021 + - attack.t1021 - attack.t1059 logsource: product: windows @@ -25,5 +25,4 @@ detection: condition: selection falsepositives: - legal admin action - - Penetration tests where lateral movement has occurred. This event will be created on the target host. level: low diff --git a/rules/windows/builtin/security/win_pass_the_hash.yml b/rules/windows/builtin/security/win_pass_the_hash.yml index ca13aa9cf..321d0997a 100644 --- a/rules/windows/builtin/security/win_pass_the_hash.yml +++ b/rules/windows/builtin/security/win_pass_the_hash.yml @@ -25,7 +25,6 @@ detection: condition: selection and not filter falsepositives: - Administrator activity - - Penetration tests level: medium tags: - attack.lateral_movement diff --git a/rules/windows/builtin/security/win_pass_the_hash_2.yml b/rules/windows/builtin/security/win_pass_the_hash_2.yml index 0fdadb4a1..dd7e9f1fb 100644 --- a/rules/windows/builtin/security/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/win_pass_the_hash_2.yml @@ -30,5 +30,4 @@ detection: condition: selection and not filter falsepositives: - Administrator activity - - Penetration tests level: medium diff --git a/rules/windows/builtin/security/win_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_susp_net_recon_activity.yml index d4fd16e68..502e68f52 100644 --- a/rules/windows/builtin/security/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/security/win_susp_net_recon_activity.yml @@ -26,7 +26,6 @@ detection: condition: selection and selection2 falsepositives: - Administrator activity - - Penetration tests level: high tags: - attack.discovery diff --git a/rules/windows/builtin/security/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml index 433ea4c5b..0f7b38a44 100644 --- a/rules/windows/builtin/security/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_svcctl_remote_service.yml @@ -19,7 +19,7 @@ detection: Accesses|contains: 'WriteData' condition: selection falsepositives: - - pentesting + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/windows/builtin/system/win_hack_smbexec.yml b/rules/windows/builtin/system/win_hack_smbexec.yml index cf1168712..82fa20646 100644 --- a/rules/windows/builtin/system/win_hack_smbexec.yml +++ b/rules/windows/builtin/system/win_hack_smbexec.yml @@ -21,7 +21,6 @@ fields: - ServiceName - ServiceFileName falsepositives: - - Penetration Test - Unknown level: critical tags: diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index a4d6f2a09..ed75a5758 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -46,7 +46,6 @@ detection: condition: keywords and not filter falsepositives: - Naughty administrators - - Penetration test - AV Signature updates - Files with Mimikatz in their filename level: critical diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml index f0f7d851c..777c179e6 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml @@ -24,6 +24,5 @@ detection: - ' -noninteractive ' condition: all of selection* falsepositives: - - Penetration tests - Very special / sneaky PowerShell scripts level: high diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml index 657b72ca9..9ccde785f 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml @@ -57,5 +57,5 @@ detection: - 'Write-ChocolateyWarning' condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_* falsepositives: - - Penetration tests + - Unknown level: high diff --git a/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml b/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml index 79718f93c..c4fb4645b 100644 --- a/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml @@ -23,6 +23,5 @@ detection: TargetFilename|endswith: '.bat' condition: selection falsepositives: - - Pentest - Any powershell script that creates bat files # highly unlikely (untested) level: high diff --git a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml index 4f21221df..fa88ee422 100755 --- a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml @@ -110,7 +110,7 @@ detection: - '\Invoke-Mimikittenz.ps1' condition: selection falsepositives: - - Penetration Tests + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/image_load/image_load_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_suspicious_dbghelp_dbgcore_load.yml index e1983f568..571168acd 100755 --- a/rules/windows/image_load/image_load_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_suspicious_dbghelp_dbgcore_load.yml @@ -47,11 +47,11 @@ detection: Signed: 'FALSE' filter1: - Image|contains: 'Visual Studio' - - CommandLine|contains: + - CommandLine|contains: - '-k LocalSystemNetworkRestricted' - '-k UnistackSvcGroup -s WpnUserService' filter2: # Not available in Sysmon, but in Aurora - CommandLine: + CommandLine: - 'C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding' - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' @@ -62,7 +62,7 @@ fields: - Image - ImageLoaded falsepositives: - - Penetration tests + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml index 0be23656b..02a3bf323 100755 --- a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml @@ -23,7 +23,7 @@ detection: - 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - - Pentest + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml index 0890c647a..ff1fba982 100644 --- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml @@ -27,6 +27,5 @@ detection: - 'C:\Windows\System32\Dism\dismcore.dll' condition: selection and not filter falsepositives: - - Pentests - Actions of a legitimate telnet client level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index b7d9d3547..a0fdf44b4 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -22,6 +22,5 @@ detection: HostVersion|startswith: '2.' condition: selection and not filter falsepositives: - - Penetration Test - Unknown level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index 215c3d778..ec3b137b4 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -24,6 +24,5 @@ detection: HostVersion|startswith: '3.' condition: selection1 falsepositives: - - Penetration Tests - Unknown level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml index 1ebead1f9..7d532d099 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml @@ -30,6 +30,5 @@ detection: - ' -noninteractive ' condition: all of selection* falsepositives: - - Penetration tests - Very special / sneaky PowerShell scripts level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml index 0712ad64f..bbf497a0a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml @@ -61,10 +61,10 @@ detection: - 'Net.WebClient' - '.Download' filter_chocolatey: - ContextInfo|contains: + ContextInfo|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" - 'Write-ChocolateyWarning' condition: 1 of selection* and not 1 of filter* falsepositives: - - Penetration tests + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index d86e73d9a..59544ca95 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -39,5 +39,5 @@ detection: - 'Mimikatz' condition: Malicious falsepositives: - - Penetration tests + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index edd719577..1473ce81f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -19,5 +19,5 @@ detection: ScriptBlockText|contains: 'PS ATTACK!!!' condition: selection falsepositives: - - Pentesters + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml index 7ee906b99..0569bb5f7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml @@ -30,6 +30,5 @@ detection: - ' -noninteractive ' condition: all of selection* falsepositives: - - Penetration tests - Very special / sneaky PowerShell scripts level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml index c97078d90..e629c9615 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml @@ -67,5 +67,5 @@ detection: - 'Write-ChocolateyWarning' condition: 1 of select* and not 1 of filter* falsepositives: - - Penetration tests + - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml index 655f9c3f9..51c2a7a66 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml @@ -33,5 +33,5 @@ detection: - 'http://127.0.0.1' condition: framework falsepositives: - - Penetration tests + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml index 052a374e1..3347ee137 100644 --- a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml @@ -24,7 +24,6 @@ fields: - Description falsepositives: - System administrator Usage - - Penetration test level: high tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml b/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml index 0edbf3a83..661b19510 100644 --- a/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml @@ -26,7 +26,7 @@ fields: - Image - ParentImage falsepositives: - - Penetration test + - Unknown level: medium tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml index ce9617459..c59c9aaca 100644 --- a/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml @@ -39,5 +39,4 @@ fields: - Image falsepositives: - System administrator Usage - - Penetration test level: medium diff --git a/rules/windows/process_creation/proc_creation_win_dotnet.yml b/rules/windows/process_creation/proc_creation_win_dotnet.yml index e6b12a975..94d171008 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet.yml @@ -27,7 +27,6 @@ fields: - ParentCommandLine falsepositives: - System administrator Usage - - Penetration test level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_hack_koadic.yml b/rules/windows/process_creation/proc_creation_win_hack_koadic.yml index de808b09f..8d07794d6 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_koadic.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_koadic.yml @@ -24,7 +24,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Pentest + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index e0cf3fdc3..e263a3a3b 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -58,7 +58,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - pentesters + - Unknown level: critical tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml index c58de2186..2c07f3ef8 100644 --- a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml @@ -24,7 +24,7 @@ detection: - 'atbroker.exe' condition: selection falsepositives: - - Penetration Tests + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml index dea3b7f4a..1479596bc 100644 --- a/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml @@ -14,7 +14,7 @@ detection: exec_selection: ParentImage|endswith: '\userinit.exe' exec_exclusion1: - Image|endswith: + Image|endswith: - 'explorer.exe' - '\proquota.exe' exec_exclusion2: @@ -26,8 +26,7 @@ detection: CommandLine|contains: 'UserInitMprLogonScript' condition: ( exec_selection and not 1 of exec_exclusion* ) or create_keywords_cli falsepositives: - - exclude legitimate logon scripts - - penetration tests, red teaming + - Exclude legitimate logon scripts level: high tags: - attack.t1037.001 diff --git a/rules/windows/process_creation/proc_creation_win_msdeploy.yml b/rules/windows/process_creation/proc_creation_win_msdeploy.yml index 7930ea39d..aa5cec86c 100644 --- a/rules/windows/process_creation/proc_creation_win_msdeploy.yml +++ b/rules/windows/process_creation/proc_creation_win_msdeploy.yml @@ -28,7 +28,6 @@ fields: - ParentCommandLine falsepositives: - System administrator Usage - - Penetration test level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml index 856abdef9..84bb4bfa5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml @@ -25,7 +25,6 @@ detection: Image|endswith: '\powershell.exe' condition: selection falsepositives: - - Penetration Test - Unknown level: medium tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml index 96b8cb9ef..5eab70d41 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml @@ -125,7 +125,7 @@ detection: - ' /ep bypass' condition: selection falsepositives: - - Penetration tests + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index 46e925dcd..6976b23af 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -20,7 +20,7 @@ detection: - '\jusched.exe' condition: (selection1 or selection2) and not filter falsepositives: - - penetration tests, red teaming + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml index ffdd8aded..f1369b4de 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml @@ -66,7 +66,7 @@ detection: - 'ZW1tb3Zl' condition: encoded and selection falsepositives: - - Penetration tests + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_recon_activity.yml index ec29da6a7..deec53629 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon_activity.yml @@ -28,7 +28,6 @@ fields: - ParentCommandLine falsepositives: - Inventory tool runs - - Penetration tests - Administrative activity analysis: recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index 99d7df283..34ff6cca7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -144,7 +144,7 @@ detection: - Get-NetGPOGroup condition: sharpview or sharpview_methods falsepositives: - - pentest + - Unknown level: high tags: - attack.discovery diff --git a/rules/windows/registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml index 51cdc34d6..0ed72dfb4 100644 --- a/rules/windows/registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml @@ -15,8 +15,7 @@ detection: TargetObject|contains: 'UserInitMprLogonScript' condition: create_keywords_reg falsepositives: - - exclude legitimate logon scripts - - penetration tests, red teaming + - Exclude legitimate logon scripts level: high tags: - attack.t1037.001 From 6ae28b7a1cf2683af9a04525dbc09c70c121e681 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 16 Mar 2022 14:35:19 +0100 Subject: [PATCH 6/7] fix: legitimate --> Legitimate --- rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml | 2 +- rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml | 2 +- rules/linux/auditd/lnx_auditd_data_exfil_wget.yml | 2 +- .../windows/builtin/msexchange/win_exchange_transportagent.yml | 2 +- .../builtin/msexchange/win_exchange_transportagent_failed.yml | 2 +- rules/windows/builtin/security/win_privesc_cve_2020_1472.yml | 2 +- rules/windows/driver_load/driver_load_vuln_dell_driver.yml | 2 +- rules/windows/driver_load/driver_load_windivert.yml | 2 +- rules/windows/file_event/file_event_win_anydesk_artefact.yml | 2 +- rules/windows/file_event/file_event_win_gotoopener_artefact.yml | 2 +- .../file_event/file_event_win_screenconnect_artefact.yml | 2 +- .../powershell/powershell_script/posh_ps_cor_profiler.yml | 2 +- .../posh_ps_directoryservices_accountmanagement.yml | 2 +- .../powershell/powershell_script/posh_ps_get_acl_service.yml | 2 +- .../windows/powershell/powershell_script/posh_ps_localuser.yml | 2 +- .../windows/powershell/powershell_script/posh_ps_msxml_com.yml | 2 +- .../powershell_script/posh_ps_remote_session_creation.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_ssl_keyword.yml | 2 +- .../powershell/powershell_script/posh_ps_test_netconnection.yml | 2 +- rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml | 2 +- rules/windows/process_creation/proc_creation_win_anydesk.yml | 2 +- .../process_creation/proc_creation_win_cmd_dosfuscation.yml | 2 +- .../process_creation/proc_creation_win_esentutl_webcache.yml | 2 +- .../proc_creation_win_fsutil_symlinkevaluation.yml | 2 +- rules/windows/process_creation/proc_creation_win_gotoopener.yml | 2 +- rules/windows/process_creation/proc_creation_win_logmein.yml | 2 +- .../proc_creation_win_reg_defender_exclusion.yml | 2 +- .../proc_creation_win_rundll32_registered_com_objects.yml | 2 +- .../process_creation/proc_creation_win_screenconnect.yml | 2 +- .../proc_creation_win_win_exchange_transportagent.yml | 2 +- rules/windows/sysmon/sysmon_config_modification.yml | 2 +- rules/windows/sysmon/sysmon_config_modification_error.yml | 2 +- rules/windows/sysmon/sysmon_config_modification_status.yml | 2 +- 33 files changed, 33 insertions(+), 33 deletions(-) diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml index 5dc522e2c..37eef2bdb 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -23,5 +23,5 @@ detection: OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' condition: selection falsepositives: - - legitimate AD FS servers added to an AAD Health AD FS service instance + - Legitimate AD FS servers added to an AAD Health AD FS service instance level: medium \ No newline at end of file diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml index bbed90f57..1db77b37a 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -23,5 +23,5 @@ detection: OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' condition: selection falsepositives: - - legitimate AAD Health AD FS service instances being deleted in a tenant + - Legitimate AAD Health AD FS service instances being deleted in a tenant level: medium \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 4359db96e..30931daa9 100644 --- a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -21,5 +21,5 @@ tags: - attack.exfiltration - attack.t1048.003 falsepositives: - - legitimate usage of wget utility to post a file + - Legitimate usage of wget utility to post a file level: medium \ No newline at end of file diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml index 82fd5dde6..6eca37cc7 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml @@ -23,5 +23,5 @@ detection: fields: - AssemblyPath falsepositives: - - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. + - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium \ No newline at end of file diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml index 2a68a8419..faad6e0f5 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml @@ -21,5 +21,5 @@ detection: fields: - AssemblyPath falsepositives: - - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. + - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: high diff --git a/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml index b4a73aed6..225208a98 100644 --- a/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml +++ b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml @@ -24,5 +24,5 @@ detection: condition: selection and not filter falsepositives: - automatic DC computer account password change - - legitimate DC computer account password change + - Legitimate DC computer account password change level: high diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index 000b6adfa..15439f86e 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -26,5 +26,5 @@ detection: - 'd2fd132ab7bbc6bbb87a84f026fa0244' condition: selection_image or selection_hash falsepositives: - - legitimate BIOS driver updates (should be rare) + - Legitimate BIOS driver updates (should be rare) level: high diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_windivert.yml index b462fc2fd..3f3de4609 100644 --- a/rules/windows/driver_load/driver_load_windivert.yml +++ b/rules/windows/driver_load/driver_load_windivert.yml @@ -22,5 +22,5 @@ detection: - '\WinDivert64.sys' condition: selection falsepositives: - - legitimate WinDivert driver usage + - Legitimate WinDivert driver usage level: high diff --git a/rules/windows/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file_event/file_event_win_anydesk_artefact.yml index 3651c53bd..0d2800f5c 100644 --- a/rules/windows/file_event/file_event_win_anydesk_artefact.yml +++ b/rules/windows/file_event/file_event_win_anydesk_artefact.yml @@ -20,7 +20,7 @@ detection: TargetFilename|endswith: '.temp' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.command_and_control diff --git a/rules/windows/file_event/file_event_win_gotoopener_artefact.yml b/rules/windows/file_event/file_event_win_gotoopener_artefact.yml index 6b045ce00..427980d1b 100644 --- a/rules/windows/file_event/file_event_win_gotoopener_artefact.yml +++ b/rules/windows/file_event/file_event_win_gotoopener_artefact.yml @@ -17,7 +17,7 @@ detection: TargetFilename|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.command_and_control diff --git a/rules/windows/file_event/file_event_win_screenconnect_artefact.yml b/rules/windows/file_event/file_event_win_screenconnect_artefact.yml index 1095a7e0c..60416b5f9 100644 --- a/rules/windows/file_event/file_event_win_screenconnect_artefact.yml +++ b/rules/windows/file_event/file_event_win_screenconnect_artefact.yml @@ -17,7 +17,7 @@ detection: TargetFilename|contains: '\Bin\ScreenConnect.' #pattern to dll and jar file condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.command_and_control diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index a548bf2ad..49c656f18 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -22,7 +22,7 @@ detection: - '$env:COR_PROFILER_PATH' condition: selection falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index 6d4f23a3b..293b9e0dc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains: System.DirectoryServices.AccountManagement condition: selection falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index cea1e7d57..0664cf3ce 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -20,7 +20,7 @@ detection: - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\' condition: selection falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index 0541f2754..d73aadd45 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -24,7 +24,7 @@ detection: - 'Remove-LocalUser' condition: selection falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml index c2235ff87..5bda37085 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -21,7 +21,7 @@ detection: - MsXml2.ServerXmlHttp condition: selection falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index b02503043..613de32b7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -19,7 +19,7 @@ detection: - '-ComputerName ' condition: selection falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index e02900789..ff6cadd46 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -18,7 +18,7 @@ detection: - '.AuthenticateAsClient' condition: selection falsepositives: - - legitimate administrative script + - Legitimate administrative script level: low tags: - attack.command_and_control diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index a3ff348dd..0585dba7f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -24,7 +24,7 @@ detection: - ' 80 ' condition: selection and not filter falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.command_and_control diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index 23d0496ff..af165de71 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -23,7 +23,7 @@ detection: - Invoke-Expression condition: all of selection_* falsepositives: - - legitimate administrative script + - Legitimate administrative script level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_anydesk.yml b/rules/windows/process_creation/proc_creation_win_anydesk.yml index 1e33332de..ab64b9b31 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk.yml @@ -19,7 +19,7 @@ detection: - Company: AnyDesk Software GmbH condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index e43510390..9606d2246 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -23,7 +23,7 @@ detection: - ' se^t ' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 8ebe9fc75..15a863b09 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -18,7 +18,7 @@ detection: - '\Windows\WebCache' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 6c778ec9f..090f881af 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -21,7 +21,7 @@ detection: - 'SymlinkEvaluation' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_gotoopener.yml b/rules/windows/process_creation/proc_creation_win_gotoopener.yml index de9d42f6e..74f481130 100644 --- a/rules/windows/process_creation/proc_creation_win_gotoopener.yml +++ b/rules/windows/process_creation/proc_creation_win_gotoopener.yml @@ -19,7 +19,7 @@ detection: - Company: 'LogMeIn, Inc.' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_logmein.yml b/rules/windows/process_creation/proc_creation_win_logmein.yml index 8d1fbfb5c..ccde53ca3 100644 --- a/rules/windows/process_creation/proc_creation_win_logmein.yml +++ b/rules/windows/process_creation/proc_creation_win_logmein.yml @@ -19,7 +19,7 @@ detection: - Company: LogMeIn, Inc. condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index 6bf0ed714..48e1577e4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -25,7 +25,7 @@ detection: - '0' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index 46e24dbcb..48dc6b8a8 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -21,7 +21,7 @@ detection: - '}' condition: selection falsepositives: - - legitimate use + - Legitimate use level: high tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_screenconnect.yml index 016e5bf67..446bee5d3 100644 --- a/rules/windows/process_creation/proc_creation_win_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_screenconnect.yml @@ -19,7 +19,7 @@ detection: - Company: 'ScreenConnect Software' condition: selection falsepositives: - - legitimate use + - Legitimate use level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml b/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml index 564270ff6..59c7fc5b5 100644 --- a/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml +++ b/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml @@ -18,7 +18,7 @@ detection: CommandLine|contains: 'Install-TransportAgent' condition: selection falsepositives: - - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. + - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium fields: - AssemblyPath \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 698bd1fb3..ff88c034d 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -18,7 +18,7 @@ detection: # condition: selection and not filter condition: selection falsepositives: - - legitimate administrative action + - Legitimate administrative action level: medium tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index a24e86ff0..a02ae3f99 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -25,5 +25,5 @@ detection: - 'Last error: The media is write protected.' condition: selection_error and not selection_filter falsepositives: - - legitimate administrative action + - Legitimate administrative action level: high diff --git a/rules/windows/sysmon/sysmon_config_modification_status.yml b/rules/windows/sysmon/sysmon_config_modification_status.yml index e23306102..b04c00a2d 100644 --- a/rules/windows/sysmon/sysmon_config_modification_status.yml +++ b/rules/windows/sysmon/sysmon_config_modification_status.yml @@ -21,5 +21,5 @@ detection: - 'Sysmon config state changed' condition: selection_stop or selection_conf falsepositives: - - legitimate administrative action + - Legitimate administrative action level: high From 043747822f0ead13d542f5d7ac78721927b898f7 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 16 Mar 2022 14:39:23 +0100 Subject: [PATCH 7/7] fix: more falsepositives harmonization --- .../rpc_firewall/rpc_firewall_eventlog_recon.yml | 2 +- .../rpc_firewall/rpc_firewall_printing_lateral_movement.yml | 2 +- .../microsoft365_data_exfiltration_to_unsanctioned_app.yml | 2 +- .../m365/microsoft365_unusual_volume_of_file_deletion.yml | 2 +- .../microsoft365_user_restricted_from_sending_email.yml | 2 +- rules/cloud/okta/okta_security_threat_detected.yml | 2 +- rules/linux/auditd/lnx_auditd_binary_padding.yml | 2 +- rules/linux/auditd/lnx_auditd_change_file_time_attr.yml | 2 +- rules/linux/auditd/lnx_auditd_find_cred_in_files.yml | 2 +- rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml | 2 +- rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml | 4 ++-- rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml | 2 +- rules/linux/builtin/lnx_ldso_preload_injection.yml | 4 ++-- .../process_creation/proc_creation_macos_binary_padding.yml | 2 +- .../proc_creation_macos_change_file_time_attr.yml | 2 +- .../proc_creation_macos_find_cred_in_files.yml | 2 +- .../proc_creation_macos_split_file_into_pieces.yml | 2 +- .../proc_creation_macos_susp_histfile_operations.yml | 4 ++-- .../proc_creation_macos_system_shutdown_reboot.yml | 2 +- rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml | 4 ++-- rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml | 4 ++-- rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml | 2 +- .../win_exploit_cve_2021_1675_printspooler_security.yml | 4 ++-- rules/windows/builtin/security/win_impacket_psexec.yml | 2 +- .../builtin/security/win_lolbas_execution_of_nltest.yml | 4 ++-- rules/windows/builtin/security/win_susp_psexec.yml | 2 +- .../net_connection_win_binary_github_com.yml | 2 +- .../net_connection_win_binary_susp_com.yml | 2 +- .../powershell_module/posh_pm_suspicious_ad_group_reco.yml | 4 ++-- .../posh_pm_suspicious_local_group_reco.yml | 6 +++--- .../powershell_module/posh_pm_suspicious_smb_share_reco.yml | 2 +- .../powershell_script/posh_ps_enable_psremoting.yml | 2 +- .../powershell_script/posh_ps_invoke_command_remote.yml | 2 +- .../powershell_script/posh_ps_invoke_dnsexfiltration.yml | 2 +- .../powershell_script/posh_ps_send_mailmessage.yml | 2 +- .../posh_ps_suspicious_execute_batch_script.yml | 6 +++--- .../posh_ps_suspicious_win32_pnpentity.yml | 4 ++-- .../powershell/powershell_script/posh_ps_timestomp.yml | 4 ++-- .../windows/powershell/powershell_script/posh_ps_upload.yml | 6 +++--- .../process_creation/proc_creation_win_certoc_execution.yml | 2 +- .../process_creation/proc_creation_win_evil_winrm.yml | 2 +- .../windows/process_creation/proc_creation_win_hack_wce.yml | 4 ++-- rules/windows/process_creation/proc_creation_win_hh_chm.yml | 2 +- rules/windows/process_creation/proc_creation_win_mstsc.yml | 2 +- .../windows/process_creation/proc_creation_win_pypykatz.yml | 6 +++--- .../process_creation/proc_creation_win_reg_dump_sam.yml | 4 ++-- .../proc_creation_win_susp_codepage_switch.yml | 2 +- .../proc_creation_win_susp_netsh_command.yml | 4 ++-- .../proc_creation_win_susp_network_command.yml | 4 ++-- .../proc_creation_win_susp_registration_via_cscript.yml | 2 +- .../proc_creation_win_susp_sysvol_access.yml | 2 +- .../proc_creation_win_susp_tasklist_command.yml | 2 +- rules/windows/registry_event/registry_event_mal_netwire.yml | 2 +- .../registry_event_modify_screensaver_binary_path.yml | 2 +- .../registry_event_suspicious_keyboard_layout_load.yml | 4 ++-- 55 files changed, 78 insertions(+), 78 deletions(-) diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index b095d3774..d508eb6ba 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -23,5 +23,5 @@ detection: - f6beaff7-1e19-4fbb-9f8f-b89e2018337c condition: selection falsepositives: - - remote administrative tasks on Windows Events + - Remote administrative tasks on Windows Events level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index 123925f97..efc3afa76 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -30,5 +30,5 @@ detection: - ae33069b-a2a8-46ee-a235-ddfd339be281 condition: selection falsepositives: - - actual printing + - Actual printing level: high diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 14a1ac8d1..34c2e31c2 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -17,7 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - attack.exfiltration diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 9c34fe514..3b9fa3d5a 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -17,7 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - attack.impact diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index 90b4a790c..4c43c2a72 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -17,7 +17,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - attack.initial_access diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index eedd79768..02bb71925 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -18,4 +18,4 @@ detection: condition: selection level: medium falsepositives: - - None + - Unknown diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml index 70d03d204..9977fa858 100644 --- a/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -23,7 +23,7 @@ detection: - 'of=' condition: execve and (all of truncate or (all of dd and not filter)) falsepositives: - - 'Legitimate script work' + - Legitimate script work level: high tags: - attack.defense_evasion diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index c2f250151..09d9a55b6 100644 --- a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -22,7 +22,7 @@ detection: - '-r' condition: execve and touch and selection2 falsepositives: - - 'Unknown' + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index b8d06ee1a..e1877ffab 100644 --- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -18,7 +18,7 @@ detection: - 'password' condition: execve and all of passwordgrep falsepositives: - - 'Unknown' + - Unknown level: high tags: - attack.credential_access diff --git a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml index 466b7b7a2..ef91d1ef2 100644 --- a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml +++ b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml @@ -16,7 +16,7 @@ detection: comm: 'split' condition: selection falsepositives: - - 'Legitimate administrative activity' + - Legitimate administrative activity level: low tags: - attack.exfiltration diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 64c956a34..cd613bb72 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -28,8 +28,8 @@ fields: - a3 - key falsepositives: - - 'Legitimate administrative activity' - - 'Ligitimate software, cleaning hist file' + - Legitimate administrative activity + - Ligitimate software, cleaning hist file level: medium tags: - attack.credential_access diff --git a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml index a83d8d225..61dfc0fb6 100644 --- a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml +++ b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml @@ -26,7 +26,7 @@ detection: - '6' condition: execve and (shutdowncmd or (init and initselection)) falsepositives: - - 'Legitimate administrative activity' + - Legitimate administrative activity level: informational tags: - attack.impact diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index 8f1d0c9cf..1ff8c18a3 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -9,11 +9,11 @@ references: logsource: product: linux detection: - keyword: + keyword: - '/etc/ld.so.preload' condition: keyword falsepositives: - - rare temporary workaround for library misconfiguration + - Rare temporary workaround for library misconfiguration level: high tags: - attack.persistence diff --git a/rules/linux/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/linux/macos/process_creation/proc_creation_macos_binary_padding.yml index 0462fbd05..fd3cfb82c 100644 --- a/rules/linux/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/linux/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -25,7 +25,7 @@ detection: CommandLine|contains: 'of=' condition: selection1 or (selection2 and not filter) falsepositives: - - 'Legitimate script work' + - Legitimate script work level: high tags: - attack.defense_evasion diff --git a/rules/linux/macos/process_creation/proc_creation_macos_change_file_time_attr.yml b/rules/linux/macos/process_creation/proc_creation_macos_change_file_time_attr.yml index 74d6d0fab..508f26f03 100644 --- a/rules/linux/macos/process_creation/proc_creation_macos_change_file_time_attr.yml +++ b/rules/linux/macos/process_creation/proc_creation_macos_change_file_time_attr.yml @@ -21,7 +21,7 @@ detection: - '-r' condition: selection1 and selection2 falsepositives: - - 'Unknown' + - Unknown level: medium tags: - attack.defense_evasion diff --git a/rules/linux/macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/rules/linux/macos/process_creation/proc_creation_macos_find_cred_in_files.yml index 7b04c2933..220f44f01 100644 --- a/rules/linux/macos/process_creation/proc_creation_macos_find_cred_in_files.yml +++ b/rules/linux/macos/process_creation/proc_creation_macos_find_cred_in_files.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains: 'laZagne' condition: selection1 or selection2 falsepositives: - - 'Unknown' + - Unknown level: high tags: - attack.credential_access diff --git a/rules/linux/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml b/rules/linux/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml index 6f18c4de7..077c41844 100644 --- a/rules/linux/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml +++ b/rules/linux/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml @@ -15,7 +15,7 @@ detection: Image|endswith: '/split' condition: selection falsepositives: - - 'Legitimate administrative activity' + - Legitimate administrative activity level: low tags: - attack.exfiltration diff --git a/rules/linux/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml b/rules/linux/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml index 4156d18d3..ff2c21434 100644 --- a/rules/linux/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml +++ b/rules/linux/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml @@ -21,8 +21,8 @@ detection: - 'fish_history' condition: selection falsepositives: - - 'Legitimate administrative activity' - - 'Ligitimate software, cleaning hist file' + - Legitimate administrative activity + - Ligitimate software, cleaning hist file level: medium tags: - attack.credential_access diff --git a/rules/linux/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml b/rules/linux/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml index 5e6350327..27326b8bf 100644 --- a/rules/linux/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml +++ b/rules/linux/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml @@ -18,7 +18,7 @@ detection: - '/halt' condition: selection falsepositives: - - 'Legitimate administrative activity' + - Legitimate administrative activity level: informational tags: - attack.impact diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 568d8a0f6..188fcef8b 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -43,8 +43,8 @@ detection: operation: 'StartServiceW' condition: 1 of op* falsepositives: - - 'Windows administrator tasks or troubleshooting' - - 'Windows management scripts or software' + - Windows administrator tasks or troubleshooting + - Windows management scripts or software level: medium tags: - attack.execution diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index d9dfdcfbc..99f97de0b 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -31,8 +31,8 @@ detection: operation: 'SeclCreateProcessWithLogonExW' condition: 1 of op* falsepositives: - - 'Windows administrator tasks or troubleshooting' - - 'Windows management scripts or software' + - Windows administrator tasks or troubleshooting + - Windows management scripts or software level: medium tags: - attack.persistence diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 2093f2dfd..bfa5b20b1 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -26,7 +26,7 @@ detection: path|startswith: 'PSEXESVC' condition: selection1 and not selection2 falsepositives: - - nothing observed so far + - Unknown level: high tags: - attack.lateral_movement diff --git a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml index 0820f80fb..6c606fede 100644 --- a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml @@ -9,7 +9,7 @@ references: date: 2021/07/02 tags: - attack.execution - - attack.t1569 + - attack.t1569 - cve.2021.1675 - cve.2021.34527 logsource: @@ -24,4 +24,4 @@ detection: ObjectType: 'File' condition: selection falsepositives: - - nothing observed so far + - Unknown diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index 2cf64dfca..9257af8ce 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -21,7 +21,7 @@ detection: - 'RemCom_stderrt' condition: selection1 falsepositives: - - nothing observed so far + - Unknown level: high tags: - attack.lateral_movement diff --git a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml index 2bc2ee687..9d5b695f6 100644 --- a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml +++ b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml @@ -7,7 +7,7 @@ description: The attacker might use LOLBAS nltest.exe for discovery of domain co references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm - https://attack.mitre.org/software/S0359/ -tags: +tags: - attack.discovery - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc @@ -26,5 +26,5 @@ fields: - 'SubjectDomainName' falsepositives: - Red team activity - - rare legitimate use by an administrator + - Rare legitimate use by an administrator level: high diff --git a/rules/windows/builtin/security/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml index 2934d2fcf..98c71a6a2 100644 --- a/rules/windows/builtin/security/win_susp_psexec.yml +++ b/rules/windows/builtin/security/win_susp_psexec.yml @@ -23,7 +23,7 @@ detection: RelativeTargetName|startswith: 'PSEXESVC' condition: selection1 and not filter falsepositives: - - nothing observed so far + - Unknown level: high tags: - attack.lateral_movement diff --git a/rules/windows/network_connection/net_connection_win_binary_github_com.yml b/rules/windows/network_connection/net_connection_win_binary_github_com.yml index d275abb15..25cb76e05 100755 --- a/rules/windows/network_connection/net_connection_win_binary_github_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_github_com.yml @@ -21,7 +21,7 @@ detection: Image|startswith: 'C:\Windows\' condition: selection falsepositives: - - 'Unknown' + - Unknown - '@subTee in your network' level: high tags: diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 25a11312a..0186dca00 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -21,7 +21,7 @@ detection: Image|startswith: 'C:\Windows\' condition: selection falsepositives: - - 'Unknown' + - Unknown level: high tags: - attack.lateral_movement diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml index a79d412bd..b5f3c115a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml @@ -26,10 +26,10 @@ detection: - get-aduser - '-f ' - '-pr ' - - DoesNotRequirePreAuth + - DoesNotRequirePreAuth condition: 1 of test_* falsepositives: - - administrator script + - Administrator script level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml index 48a7fef92..4e9033945 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml @@ -14,14 +14,14 @@ logsource: category: ps_module detection: test_3: - - Payload|contains: + - Payload|contains: - 'get-localgroup' - 'Get-LocalGroupMember' - ContextInfo|contains: - 'get-localgroup' - 'Get-LocalGroupMember' test_6: - - Payload|contains|all: + - Payload|contains|all: - 'Get-WMIObject' - 'Win32_Group' - ContextInfo|contains|all: @@ -29,7 +29,7 @@ detection: - 'Win32_Group' condition: 1 of test_* falsepositives: - - administrator script + - Administrator script level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml index c2815c14f..7dcc21f35 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml @@ -18,7 +18,7 @@ detection: - ContextInfo|contains: get-smbshare condition: selection falsepositives: - - administrator script + - Administrator script level: low tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index 4c96eba71..5a5d0f0c0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -16,7 +16,7 @@ detection: ScriptBlockText|contains: 'Enable-PSRemoting ' condition: selection_cmdlet falsepositives: - - legitim script + - Legitimate script level: medium tags: - attack.lateral_movement diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index 1792069a1..298d4ba4b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -18,7 +18,7 @@ detection: - ' -ComputerName ' condition: selection_cmdlet falsepositives: - - legitim script + - Legitimate script level: medium tags: - attack.lateral_movement diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index d89a7463f..6b05cc82e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -22,7 +22,7 @@ detection: - ' -t ' condition: selection_cmdlet falsepositives: - - legitim script + - Legitimate script level: high tags: - attack.exfiltration diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index 1fad40afd..55560cea3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -19,7 +19,7 @@ detection: ScriptBlockText|contains: Send-MailMessage condition: selection_cmdlet falsepositives: - - legitim script + - Legitimate script level: medium tags: - attack.exfiltration diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml index 2cb136fec..6c9bd060f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml @@ -18,12 +18,12 @@ detection: selection_start: ScriptBlockText|contains: Start-Process selection_batch: - ScriptBlockText|contains: - - '.cmd' + ScriptBlockText|contains: + - '.cmd' - '.bat' condition: all of selection_* falsepositives: - - legitim administration script + - Legitimate administration script level: medium tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml index 55ce58dd8..1a394505a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml @@ -1,4 +1,4 @@ -title: Powershell Suspicious Win32_PnPEntity +title: Powershell Suspicious Win32_PnPEntity id: b26647de-4feb-4283-af6b-6117661283c5 status: experimental author: frack113 @@ -19,5 +19,5 @@ detection: ScriptBlockText|contains: Win32_PnPEntity condition: selection falsepositives: - - admin script + - Admin script level: low \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index b87e3354a..348a66a39 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -17,7 +17,7 @@ logsource: definition: EnableScriptBlockLogging must be set to enable detection: selection_ioc: - ScriptBlockText|contains: + ScriptBlockText|contains: - '.CreationTime =' - '.LastWriteTime =' - '.LastAccessTime =' @@ -26,5 +26,5 @@ detection: - '[IO.File]::SetLastWriteTime' condition: selection_ioc falsepositives: - - legitime admin script + - Legitimeate admin script level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml index 414698930..3ca1733aa 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_upload.yml @@ -20,12 +20,12 @@ detection: selection_method: ScriptBlockText|contains: '-Method ' selection_verb: - - ' Put ' + - ' Put ' - ' Post ' condition: all of selection_* falsepositives: - - legitim script + - Legitimate script level: medium tags: - attack.exfiltration - - attack.t1020 + - attack.t1020 diff --git a/rules/windows/process_creation/proc_creation_win_certoc_execution.yml b/rules/windows/process_creation/proc_creation_win_certoc_execution.yml index cbb410149..969f6b4d3 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_execution.yml @@ -24,5 +24,5 @@ tags: - attack.t1218 level: medium falsepositives: -- None +- Unknown diff --git a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml index eeb76a86e..5ee88e8ea 100644 --- a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml +++ b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml @@ -19,7 +19,7 @@ detection: - '-p ' condition: 1 of selection_* falsepositives: - - Unknow + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_hack_wce.yml b/rules/windows/process_creation/proc_creation_win_hack_wce.yml index 7ccd379cc..cd0b2e9c0 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_wce.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_wce.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection1: - - Imphash: + - Imphash: - a53a02b997935fd8eedcb5f7abab9b9f - e96a73c7bf33a464c510ede582318bf2 - Hashes|contains: # Sysmon field hashes contains all types @@ -29,5 +29,5 @@ detection: Image|endswith: '\clussvc.exe' condition: ( selection1 or selection2 ) and not filter falsepositives: - - 'Another service that uses a single -s command line switch' + - Another service that uses a single -s command line switch level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm.yml b/rules/windows/process_creation/proc_creation_win_hh_chm.yml index 31d4db1ec..33f18d2c5 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm.yml @@ -21,7 +21,7 @@ fields: - User - CommandLine falsepositives: - - unlike + - Unlikely level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index 385f05ceb..bc9a773bd 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -22,7 +22,7 @@ detection: - '/pass:' condition: 1 of selection_* falsepositives: - - Unknow + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_pypykatz.yml b/rules/windows/process_creation/proc_creation_win_pypykatz.yml index 514264149..3fd5ac17d 100644 --- a/rules/windows/process_creation/proc_creation_win_pypykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_pypykatz.yml @@ -12,15 +12,15 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - \pypykatz.exe - \python.exe CommandLine|contains|all: - live - - registry + - registry condition: selection falsepositives: - - Unknow + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml b/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml index cac8c4d8b..72832fd93 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml @@ -13,13 +13,13 @@ detection: selection_reg: CommandLine|contains: ' save ' selection_key: - CommandLine|contains: + CommandLine|contains: - HKLM\sam - HKLM\system - HKLM\security condition: all of selection_* falsepositives: - - Unknow + - Unknown level: high tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml index 0b4058ef9..dda54022f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml @@ -25,7 +25,7 @@ detection: fields: - ParentCommandLine falsepositives: - - "Administrative activity (adjust code pages according to your organisation's region)" + - Administrative activity (adjust code pages according to your organisation's region) level: medium tags: - attack.t1036 diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml b/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml index 614a65daa..c2e8f7426 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: network_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - 'netsh ' - 'advfirewall ' - 'firewall ' @@ -20,7 +20,7 @@ detection: - 'name=all' condition: network_cmd falsepositives: - - administrator, hotline ask to user + - Administrator, hotline ask to user level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml index 8c2f5367a..446e2a456 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: network_cmd: - CommandLine|contains: + CommandLine|contains: - 'ipconfig /all' - 'netsh interface show interface' - 'arp -a' @@ -19,7 +19,7 @@ detection: - 'net config' condition: network_cmd falsepositives: - - administrator, hotline ask to user + - Administrator, hotline ask to user level: low tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml b/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml index ae050a068..12487b092 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml @@ -29,4 +29,4 @@ tags: - attack.t1218 level: medium falsepositives: -- None +- Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml index c48a543f1..26e7b9d0a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml @@ -18,7 +18,7 @@ detection: - '\policies\' condition: selection falsepositives: - - administrative activity + - Administrative activity level: medium tags: - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml index 0bafac3f9..cf30cd742 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml @@ -15,7 +15,7 @@ detection: - Image: C:\Windows\System32\tasklist.exe condition: tasklist falsepositives: - - administrator, hotline ask to user + - Administrator, hotline ask to user level: low tags: - attack.discovery diff --git a/rules/windows/registry_event/registry_event_mal_netwire.yml b/rules/windows/registry_event/registry_event_mal_netwire.yml index f844af140..0f63e54a6 100644 --- a/rules/windows/registry_event/registry_event_mal_netwire.yml +++ b/rules/windows/registry_event/registry_event_mal_netwire.yml @@ -26,4 +26,4 @@ detection: TargetObject|contains: '\software\NetWire' condition: selection1 falsepositives: - - No known false positives + - Unknown diff --git a/rules/windows/registry_event/registry_event_modify_screensaver_binary_path.yml b/rules/windows/registry_event/registry_event_modify_screensaver_binary_path.yml index 8d3d3b261..246c22663 100644 --- a/rules/windows/registry_event/registry_event_modify_screensaver_binary_path.yml +++ b/rules/windows/registry_event/registry_event_modify_screensaver_binary_path.yml @@ -20,7 +20,7 @@ detection: - '\explorer.exe' condition: selection and not filter falsepositives: - - 'Legitimate modification of screensaver.' + - Legitimate modification of screensaver level: medium tags: - attack.persistence diff --git a/rules/windows/registry_event/registry_event_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/registry_event_suspicious_keyboard_layout_load.yml index c02cf18c9..c0f6eed5c 100755 --- a/rules/windows/registry_event/registry_event_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/registry_event_suspicious_keyboard_layout_load.yml @@ -14,7 +14,7 @@ logsource: definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: - EventType: SetValue + EventType: SetValue TargetObject|contains: - '\Keyboard Layout\Preload\' - '\Keyboard Layout\Substitutes\' @@ -24,7 +24,7 @@ detection: - 0000042a # Vietnamese condition: selection_registry falsepositives: - - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" + - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) level: medium tags: - attack.resource_development