Merge branch 'master' of https://github.com/redsand/sigma into hawk

2022-01-28 00:24:07 +00:00
parent 3c115408b6 1431992e4e
commit c4efcae4e0
767 changed files with 2269 additions and 787 deletions
@@ -17,7 +17,6 @@ references:
    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
 tags:
    - attack.persistence
-    - attack.t1100 # an old one
    - attack.t1505.003
 logsource:
    product: antivirus
@@ -0,0 +1,34 @@
+title: Remote Schedule Task Lateral Movement via ATSvc
+id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
+description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
+references:
+    - https://attack.mitre.org/techniques/T1053/
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+    - attack.t1053
+    - attack.t1053.002
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
+        OpNum:
+          - 0
+          - 1
+    condition: selection
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,31 @@
+title: Remote Schedule Task Recon via AtScv
+id: f177f2bc-5f3e-4453-b599-57eefce9a59c
+description: Detects remote RPC calls to read information about scheduled tasks via AtScv
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
+    filter:
+      OpNum:
+        - 0
+        - 1
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,33 @@
+title: Possible DCSync Attack
+id: 56fda488-113e-4ce9-8076-afc2457922c3
+description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
+references:
+    - https://attack.mitre.org/techniques/T1033/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-DRSR.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.t1033
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
+    filter:
+      OpNum:
+        - 0
+        - 1
+        - 12
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,30 @@
+title: Remote Encrypting File System Abuse
+id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
+description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid:
+          - df1941c5-fe89-4e79-bf10-463657acf44d
+          - c681d488-d850-11d0-8c52-00c04fd90f7e
+    condition: selection
+falsepositives:
+    - Legitimate usage of remote file encryption
+level: high
@@ -0,0 +1,27 @@
+title: Remote Event Log Recon
+id: 2053961f-44c7-4a64-b62d-f6e72800af0d
+description: Detects remote RPC calls to get event log information via EVEN or EVEN6
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid:
+          - 82273fdc-e32a-18c3-3f78-827929dc23ea
+          - f6beaff7-1e19-4fbb-9f8f-b89e2018337c
+    condition: selection
+falsepositives:
+    - remote administrative tasks on Windows Events
+level: high
@@ -0,0 +1,42 @@
+title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
+id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
+description: Detects remote RPC calls to create or execute a scheduled task
+references:
+    - https://attack.mitre.org/techniques/T1053/
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+    - attack.t1053
+    - attack.t1053.002
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
+
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
+        OpNum:
+          - 1
+          - 3
+          - 4
+          - 10
+          - 11
+          - 12
+          - 13
+          - 14
+          - 15
+    condition: selection
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,37 @@
+title: Remote Schedule Task Recon via ITaskSchedulerService
+id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
+description: Detects remote RPC calls to read information about scheduled tasks
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
+    filter:
+      OpNum:
+        - 1
+        - 3
+        - 4
+        - 10
+        - 11
+        - 12
+        - 13
+        - 14
+        - 15
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,34 @@
+title: Remote Printing Abuse for Lateral Movement
+id: bc3a4b0c-e167-48e1-aa88-b3020950e560
+description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RPRN-PAR.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid:
+          - 12345678-1234-abcd-ef00-0123456789ab
+          - 76f03f96-cdfd-44fc-a22c-64950a001209
+          - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
+          - ae33069b-a2a8-46ee-a235-ddfd339be281
+    condition: selection
+falsepositives:
+    - actual printing
+level: high
@@ -0,0 +1,37 @@
+title: Remote DCOM/WMI Lateral Movement
+id: 68050b10-e477-4377-a99b-3721b422d6ef
+description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://attack.mitre.org/techniques/T1021/003/
+    - https://attack.mitre.org/techniques/T1047/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+    - attack.t1021.003
+    - attack.t1047
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid:
+          - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
+          - 99fcfec4-5260-101b-bbcb-00aa0021347a
+          - 000001a0-0000-0000-c000-000000000046
+          - 00000131-0000-0000-c000-000000000046
+          - 00000143-0000-0000-c000-000000000046
+          - 00000000-0000-0000-c000-000000000046
+    condition: selection
+falsepositives:
+    - Some administrative tasks on remote host
+level: high
@@ -0,0 +1,40 @@
+title: Remote Registry Lateral Movement
+id: 35c55673-84ca-4e99-8d09-e334f3c29539
+description: Detects remote RPC calls to modify the registry and possible execute code
+references:
+    - https://attack.mitre.org/techniques/T1112/
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
+        OpNum:
+          - 6
+          - 7
+          - 8
+          - 13
+          - 18
+          - 19
+          - 21
+          - 22
+          - 23
+          - 35
+    condition: selection
+falsepositives:
+    - Remote administration of registry values
+level: high
@@ -0,0 +1,38 @@
+title: Remote Registry Recon
+id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
+description: Detects remote RPC calls to collect information
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
+    filter:
+      OpNum:
+        - 6
+        - 7
+        - 8
+        - 13
+        - 18
+        - 19
+        - 21
+        - 22
+        - 23
+        - 35
+    condition: selection and not filter
+falsepositives:
+    - Remote administration of registry values
+level: high
@@ -0,0 +1,28 @@
+title: Remote Server Service Abuse
+id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
+description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
+    condition: selection
+falsepositives:
+    - Legitimate remote share creation
+level: high
@@ -0,0 +1,30 @@
+title: Remote Server Service Abuse for Lateral Movement
+id: 10018e73-06ec-46ec-8107-9172f1e04ff2
+description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://attack.mitre.org/techniques/T1569/002/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SCMR.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+    - attack.t1569.002
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
+    condition: selection
+falsepositives:
+    - Administrative tasks on remote services
+level: high
@@ -0,0 +1,34 @@
+title: Remote Schedule Task Lateral Movement via SASec
+id: aff229ab-f8cd-447b-b215-084d11e79eb0
+description: Detects remote RPC calls to create or execute a scheduled task via SASec
+references:
+    - https://attack.mitre.org/techniques/T1053/
+    - https://attack.mitre.org/tactics/TA0008/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.lateral_movement
+    - attack.t1053
+    - attack.t1053.002
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
+        OpNum:
+          - 0
+          - 1
+    condition: selection
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,30 @@
+title: Remote Schedule Task Lateral Movement via SASec
+id: 0a3ff354-93fc-4273-8a03-1078782de5b7
+description: Detects remote RPC calls to read information about scheduled tasks via SASec
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
+    filter:
+      OpNum:
+        - 0
+        - 1
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,29 @@
+title: SharpHound Recon Account Discovery
+id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
+description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
+references:
+    - https://attack.mitre.org/techniques/T1087/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-WKST.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.t1087
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
+        OpNum: 2
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,29 @@
+title: SharpHound Recon Sessions
+id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
+description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
+references:
+    - https://attack.mitre.org/techniques/T1033/
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
+    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md
+    - https://github.com/zeronetworks/rpcfirewall
+    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
+tags:
+    - attack.t1033
+status: experimental
+author: Sagie Dulce, Dekel Paz
+date: 2022/01/01
+modified: 2022/01/01
+logsource:
+    product: rpc_firewall
+    category: application
+    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'
+detection:
+    selection:
+        EventLog: RPCFW
+        EventID: 3
+        InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
+        OpNum: 12
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -31,7 +31,6 @@ level: high
 tags:
  - attack.persistence
  - attack.t1547.001
-  - attack.t1060    # an old one
  - attack.discovery
  - attack.t1057
  - attack.t1082
@@ -32,10 +32,8 @@ level: critical
 tags:
  - attack.execution
  - attack.t1059.001
-  - attack.t1086    # an old one
  - attack.command_and_control
  - attack.t1071.004
-  - attack.t1071    # an old one
  - attack.t1572
  - attack.impact
  - attack.t1529
@@ -24,4 +24,3 @@ level: medium
 tags:
    - attack.defense_evasion
    - attack.t1562.001
-    - attack.t1089  # an old one
@@ -21,4 +21,3 @@ level: high
 tags:
    - attack.defense_evasion
    - attack.t1562.001
-    - attack.t1089  # an old one
@@ -22,8 +22,5 @@ level: high
 tags:
    - attack.execution
    - attack.t1059.001
-    - attack.t1086  # an old one
    - attack.t1059.003
    - attack.t1059.004
-    - attack.t1059  # an old one
-    - attack.t1064  # an old one
@@ -21,4 +21,3 @@ level: high
 tags:
    - attack.defense_evasion
    - attack.t1562.001
-    - attack.t1089  # an old one
@@ -22,4 +22,3 @@ level: medium
 tags:
  - attack.privilege_escalation
  - attack.t1078.004
-  - attack.t1078  # an old one
@@ -28,6 +28,5 @@ falsepositives:
 level: medium
 tags:
  - attack.s0003
-  - attack.t1156      # an old one
  - attack.persistence
  - attack.t1546.004
@@ -28,5 +28,4 @@ falsepositives:
 level: high
 tags:
  - attack.defense_evasion
-  - attack.t1054      # an old one
  - attack.t1562.006
@@ -19,6 +19,5 @@ falsepositives:
  - Admin activity
 level: medium
 tags:
-  - attack.t1136      # an old one
  - attack.t1136.001
  - attack.persistence
@@ -0,0 +1,28 @@
+title: CVE-2021-4034 Exploitation Attempt
+id: 40a016ab-4f48-4eee-adde-bbf612695c53
+description: Detects exploitation attempt of vulnerability described in CVE-2021-4034.
+author: 'Pawel Mazur'
+status: experimental
+date: 2022/01/27
+references:
+   - https://github.com/berdav/CVE-2021-4034
+   - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
+   - https://access.redhat.com/security/cve/CVE-2021-4034
+logsource:
+   product: linux
+   service: auditd
+detection:
+    proctitle:
+        type: PROCTITLE
+        proctitle: '(null)'
+    syscall:
+       type: SYSCALL
+       comm: pkexec 
+       exe: '/usr/bin/pkexec'
+    condition: proctitle and syscall
+tags:
+   - attack.privilege_escalation
+   - attack.t1068
+falsepositives:
+   - unknown
+level: high
@@ -0,0 +1,27 @@
+title: Disable System Firewall
+id: 53059bc0-1472-438b-956a-7508a94a91f0
+status: experimental
+description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
+author: 'Pawel Mazur'
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
+  - https://attack.mitre.org/techniques/T1562/004/
+  - https://firewalld.org/documentation/man-pages/firewall-cmd.html
+date: 2022/01/22
+logsource:
+  product: linux
+  service: auditd
+detection:
+  service_stop:
+    type: 'SERVICE_STOP'
+    unit: 
+         - 'firewalld'
+         - 'iptables'
+         - 'ufw'
+  condition: service_stop
+falsepositives:
+  - Admin activity
+level: high
+tags:
+  - attack.t1562.004
+  - attack.defense_evasion
@@ -27,5 +27,4 @@ falsepositives:
 level: high
 tags:
  - attack.defense_evasion
-  - attack.t1054      # an old one
  - attack.t1562.006
@@ -14,7 +14,6 @@ logsource:
 tags:
    - attack.privilege_escalation
    - attack.t1068
-    - attack.t1169 # an old one
    - attack.t1548.003
    - cve.2019.14287
 detection:
@@ -18,7 +18,6 @@ logsource:
 tags:
    - attack.privilege_escalation
    - attack.t1068
-    - attack.t1169 # an old one
    - attack.t1548.003
    - cve.2019.14287
 detection:
@@ -0,0 +1,22 @@
+title: Linux Doas Conf File Creation
+id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
+status: stable
+description: Detects the creation of doas.conf file in linux host platform.
+references:
+    - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
+    - https://www.makeuseof.com/how-to-install-and-use-doas/
+author: Sittikorn S, Teoderick Contreras
+date: 2022/01/20
+tags:
+    - attack.privilege_escalation
+    - attack.t1548
+logsource:
+    product: linux
+    category: file_create
+detection:
+    selection:
+        TargetFilename|endswith: '/etc/doas.conf'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium
@@ -21,6 +21,5 @@ falsepositives:
  - Legitimate administration activities
 level: low
 tags:
-  - attack.t1136      # an old one
  - attack.t1136.001
  - attack.persistence
@@ -13,7 +13,6 @@ references:
 tags:
    - attack.defense_evasion
    - attack.t1562.004
-    - attack.t1089 # an old one
 logsource:
    product: linux
    service: syslog
@@ -0,0 +1,22 @@
+title: Linux Doas Tool Execution
+id: 067d8238-7127-451c-a9ec-fa78045b618b
+status: stable
+description: Detects the doas tool execution in linux host platform.
+references:
+    - https://research.splunk.com/endpoint/linux_doas_tool_execution/
+    - https://www.makeuseof.com/how-to-install-and-use-doas/
+author: Sittikorn S, Teoderick Contreras
+date: 2022/01/20
+tags:
+    - attack.privilege_escalation
+    - attack.t1548
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/doas'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: low
@@ -10,7 +10,6 @@ references:
 tags:
    - attack.defense_evasion
    - attack.t1562.004
-    - attack.t1089 # an old one
 logsource:
    category: process_creation
    product: linux
@@ -8,7 +8,6 @@ date: 2021/10/15
 author: Florian Roth
 tags:
    - attack.persistence
-    - attack.t1100 # an old one
    - attack.t1505.003
 logsource:
   product: linux
@@ -25,5 +25,4 @@ falsepositives:
 level: high
 tags:
  - attack.defense_evasion
-  - attack.t1146            # an old one
  - attack.t1070.003
@@ -29,9 +29,6 @@ tags:
  - attack.discovery
  - attack.credential_access
  - attack.collection
-  - attack.t1087             # an old one
  - attack.t1087.001
-  - attack.t1003             # an old one
-  - attack.t1081             # an old one
  - attack.t1552.001
  - attack.t1005
@@ -27,7 +27,5 @@ level: high
 tags:
  - attack.credential_access
  - attack.defense_evasion
-  - attack.t1130            # an old one
  - attack.t1553.004
-  - attack.t1145            # an old one
  - attack.t1552.004
@@ -25,5 +25,4 @@ falsepositives:
 level: high
 tags:
  - attack.defense_evasion
-  - attack.t1089            # an old one
  - attack.t1562.001
@@ -24,5 +24,4 @@ tags:
  - attack.impact
  - attack.t1495
  - attack.t1529
-  - attack.t1492            # an old one
  - attack.t1565.001
@@ -23,9 +23,6 @@ level: medium
 tags:
  - attack.defense_evasion
  - attack.impact
-  - attack.t1107            # an old one
  - attack.t1070.004
-  - attack.t1488            # an old one
  - attack.t1561.001
-  - attack.t1487            # an old one
  - attack.t1561.002
@@ -22,5 +22,4 @@ falsepositives:
 level: medium
 tags:
  - attack.credential_access
-  - attack.t1139            # an old one
  - attack.t1552.003
@@ -21,6 +21,5 @@ falsepositives:
 level: high
 tags:
  - attack.persistence
-  - attack.t1136            # an old one
  - attack.t1136.001
  - attack.t1098
@@ -30,7 +30,5 @@ tags:
  - attack.impact
  - attack.t1490
  - attack.t1505
-  - attack.t1493            # an old one
  - attack.t1565.002
-  - attack.t1168            # an old one
  - attack.t1053
@@ -30,5 +30,4 @@ tags:
  - attack.exfiltration
  - attack.t1074
  - attack.t1105
-  - attack.t1002            # an old one
  - attack.t1560.001
@@ -19,8 +19,6 @@ falsepositives:
 level: high
 tags:
  - attack.command_and_control
-  - attack.t1071   # an old one
  - attack.t1071.004
  - attack.exfiltration
-  - attack.t1048   # an old one
  - attack.t1048.003
@@ -7,7 +7,6 @@ date: 2019/10/24
 modified: 2021/09/21
 tags:
    - attack.exfiltration
-    - attack.t1048 # an old one
    - attack.t1048.003
 logsource:
    category: firewall
@@ -7,10 +7,8 @@ date: 2019/10/24
 modified: 2021/09/21
 tags:
    - attack.exfiltration
-    - attack.t1048 # an old one
    - attack.t1048.003
    - attack.command_and_control
-    - attack.t1071 # an old one
    - attack.t1071.004
 logsource:
    category: firewall
@@ -7,7 +7,6 @@ date: 2019/10/24
 modified: 2021/09/21
 tags:
    - attack.exfiltration
-    - attack.t1048 # an old one
    - attack.t1048.003
 logsource:
    category: dns
@@ -7,10 +7,8 @@ date: 2019/10/24
 modified: 2021/09/21
 tags:
    - attack.exfiltration
-    - attack.t1048 # an old one
    - attack.t1048.003
    - attack.command_and_control
-    - attack.t1071 # an old one
    - attack.t1071.004
 logsource:
    category: dns
@@ -17,8 +17,6 @@ falsepositives:
 level: medium
 tags:
  - attack.exfiltration
-  - attack.t1048   # an old one
  - attack.t1048.003
  - attack.command_and_control
-  - attack.t1071   # an old one
  - attack.t1071.004
@@ -17,8 +17,6 @@ falsepositives:
 level: medium
 tags:
  - attack.exfiltration
-  - attack.t1048   # an old one
  - attack.t1048.003
  - attack.command_and_control
-  - attack.t1071   # an old one
  - attack.t1071.004
@@ -23,5 +23,4 @@ falsepositives:
 level: critical
 tags:
    - attack.command_and_control
-    - attack.t1071 # an old one
    - attack.t1071.004
@@ -18,8 +18,6 @@ falsepositives:
 level: medium
 tags:
    - attack.exfiltration
-    - attack.t1048 # an old one
    - attack.t1048.003
    - attack.command_and_control
-    - attack.t1071 # an old one
    - attack.t1071.004
@@ -23,5 +23,4 @@ falsepositives:
 level: high
 tags:
  - attack.command_and_control
-  - attack.t1071   # an old one
  - attack.t1071.004
@@ -21,5 +21,4 @@ falsepositives:
 level: medium
 tags:
    - attack.command_and_control
-    - attack.t1102 # an old one
    - attack.t1102.002
@@ -9,7 +9,6 @@ date: 2020/05/03
 modified: 2021/11/14
 tags:
    - attack.discovery
-    - attack.t1087 # an old one
    - attack.t1087.002
    - attack.t1082
 logsource:
@@ -48,8 +48,6 @@ falsepositives:
 level: medium
 tags:
  - attack.execution
-  - attack.t1035   # an old one
  - attack.t1047
-  - attack.t1053   # an old one
  - attack.t1053.002
  - attack.t1569.002
@@ -36,5 +36,4 @@ falsepositives:
 level: medium
 tags:
  - attack.persistence
-  - attack.t1004   # an old one
  - attack.t1547.004
@@ -12,7 +12,6 @@ logsource:
    service: dns
    product: zeek
 tags:
-  - attack.t1035 # an old one
  - attack.t1569.002
  - attack.t1496
 detection:
@@ -11,9 +11,8 @@ references:
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 author: '@neu5ron, SOC Prime Team, Corelight'
 tags:
-  - attack.t1094 # an old one
  - attack.t1095
-  - attack.t1043
+  - attack.t1571
  - attack.command_and_control
 logsource:
  product: zeek
@@ -5,7 +5,6 @@ description: Detects connections from routable IPs to an RDP listener - which is
 references:
    - https://attack.mitre.org/techniques/T1021/001/
 tags:
-    - attack.t1021 # an old one
    - attack.t1021.001
 author: 'Josh Brower @DefensiveDepth'
 date: 2020/08/22
@@ -22,7 +22,6 @@ level: medium
 tags:
  - attack.lateral_movement
  - attack.persistence
-  - attack.t1053   # an old one
  - car.2013-05-004
  - car.2015-04-001
  - attack.t1053.002
@@ -23,7 +23,6 @@ falsepositives:
 level: high
 tags:
  - attack.credential_access
-  - attack.t1003   # an old one
  - attack.t1003.002
  - attack.t1003.004
  - attack.t1003.003
@@ -39,5 +39,4 @@ falsepositives:
 level: high
 tags:
  - attack.lateral_movement
-  - attack.t1077   # an old one
  - attack.t1021.002
@@ -30,5 +30,4 @@ falsepositives:
 level: high
 tags:
  - attack.lateral_movement
-  - attack.t1077   # an old one
  - attack.t1021.002
@@ -27,7 +27,6 @@ falsepositives:
 level: medium
 tags:
  - attack.credential_access
-  - attack.t1003   # an old one
  - attack.t1003.002
  - attack.t1003.001
  - attack.t1003.003
@@ -22,5 +22,4 @@ falsepositives:
 level: medium
 tags:
  - attack.credential_access
-  - attack.t1208   # an old one
  - attack.t1558.003
@@ -23,7 +23,5 @@ level: high
 tags:
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
  - attack.exfiltration
  - attack.t1567.002
-  - attack.t1048    # an old one 
@@ -23,4 +23,3 @@ level: critical
 tags:
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
@@ -30,4 +30,4 @@ tags:
  - attack.defense_evasion
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043  # an old one
+ 
@@ -25,4 +25,3 @@ tags:
  - attack.defense_evasion
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043  # an old one
@@ -22,4 +22,3 @@ tags:
  - attack.defense_evasion
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
@@ -25,4 +25,3 @@ tags:
  - attack.defense_evasion
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
@@ -113,4 +113,3 @@ tags:
  - attack.execution
  - attack.t1203
  - attack.t1204.002
-  - attack.t1204    # an old one
@@ -62,4 +62,3 @@ tags:
  - attack.execution
  - attack.t1203
  - attack.t1204.002
-  - attack.t1204    # an old one
@@ -27,4 +27,3 @@ level: high
 tags:
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
@@ -28,4 +28,3 @@ tags:
  - attack.defense_evasion
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043  # an old one
@@ -30,4 +30,3 @@ tags:
  - attack.credential_access
  - attack.t1528
  - attack.t1552.001
-  - attack.t1081    # an old one
@@ -23,7 +23,5 @@ level: critical
 tags:
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
  - attack.t1102.001
  - attack.t1102.003
-  - attack.t1102    # an old one
@@ -27,8 +27,6 @@ level: high
 tags:
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
  - attack.t1102.001
  - attack.t1102.003
  - attack.defense_evasion
-  - attack.t1102    # an old one
@@ -24,7 +24,5 @@ tags:
  - attack.t1189
  - attack.execution
  - attack.t1204.002
-  - attack.t1204    # an old one
  - attack.defense_evasion
  - attack.t1036.005
-  - attack.t1036    # an old one
@@ -32,6 +32,4 @@ tags:
  - attack.defense_evasion
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
  - attack.t1102.002
-  - attack.t1102    # an old one
@@ -20,5 +20,4 @@ tags:
  - attack.defense_evasion
  - attack.command_and_control
  - attack.t1071.001
-  - attack.t1043    # an old one
  - attack.g0010
@@ -30,9 +30,7 @@ level: critical
 tags:
    - attack.initial_access
    - attack.t1566.001
-    - attack.t1193  # an old one
    - attack.execution
    - attack.t1204.002
-    - attack.t1204  # an old one
    - attack.command_and_control
    - attack.t1071.001
--- a/Show More
+++ b/Show More