diff --git a/rules/windows/malware/av_exploiting.yml b/rules/application/antivirus/av_exploiting.yml similarity index 100% rename from rules/windows/malware/av_exploiting.yml rename to rules/application/antivirus/av_exploiting.yml diff --git a/rules/windows/malware/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml similarity index 100% rename from rules/windows/malware/av_hacktool.yml rename to rules/application/antivirus/av_hacktool.yml diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/application/antivirus/av_password_dumper.yml similarity index 100% rename from rules/windows/malware/av_password_dumper.yml rename to rules/application/antivirus/av_password_dumper.yml diff --git a/rules/windows/malware/av_printernightmare_cve_2021_34527.yml b/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml similarity index 100% rename from rules/windows/malware/av_printernightmare_cve_2021_34527.yml rename to rules/application/antivirus/av_printernightmare_cve_2021_34527.yml diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/application/antivirus/av_relevant_files.yml similarity index 100% rename from rules/windows/malware/av_relevant_files.yml rename to rules/application/antivirus/av_relevant_files.yml diff --git a/rules/windows/malware/av_webshell.yml b/rules/application/antivirus/av_webshell.yml similarity index 98% rename from rules/windows/malware/av_webshell.yml rename to rules/application/antivirus/av_webshell.yml index 90a124677..826dfffd3 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/application/antivirus/av_webshell.yml @@ -17,7 +17,6 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 logsource: product: antivirus diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/django/appframework_django_exceptions.yml similarity index 100% rename from rules/application/appframework_django_exceptions.yml rename to rules/application/django/appframework_django_exceptions.yml diff --git a/rules/windows/edr/edr_command_execution_by_office_applications.yml b/rules/application/edr/windows/edr_command_execution_by_office_applications.yml similarity index 100% rename from rules/windows/edr/edr_command_execution_by_office_applications.yml rename to rules/application/edr/windows/edr_command_execution_by_office_applications.yml diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml similarity index 100% rename from rules/application/app_python_sql_exceptions.yml rename to rules/application/python/app_python_sql_exceptions.yml diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml new file mode 100644 index 000000000..74039ee14 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -0,0 +1,34 @@ +title: Remote Schedule Task Lateral Movement via ATSvc +id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb +description: Detects remote RPC calls to create or execute a scheduled task via ATSvc +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b + OpNum: + - 0 + - 1 + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml new file mode 100644 index 000000000..4ee610ce7 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -0,0 +1,31 @@ +title: Remote Schedule Task Recon via AtScv +id: f177f2bc-5f3e-4453-b599-57eefce9a59c +description: Detects remote RPC calls to read information about scheduled tasks via AtScv +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/zeronetworks/rpcfirewall + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b + filter: + OpNum: + - 0 + - 1 + condition: selection and not filter +falsepositives: + - unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml new file mode 100644 index 000000000..badff3ec5 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -0,0 +1,33 @@ +title: Possible DCSync Attack +id: 56fda488-113e-4ce9-8076-afc2457922c3 +description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. +references: + - https://attack.mitre.org/techniques/T1033/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-DRSR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.t1033 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2 + filter: + OpNum: + - 0 + - 1 + - 12 + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml new file mode 100644 index 000000000..46b0150c2 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -0,0 +1,30 @@ +title: Remote Encrypting File System Abuse +id: 5f92fff9-82e2-48eb-8fc1-8b133556a551 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - df1941c5-fe89-4e79-bf10-463657acf44d + - c681d488-d850-11d0-8c52-00c04fd90f7e + condition: selection +falsepositives: + - Legitimate usage of remote file encryption +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml new file mode 100644 index 000000000..b095d3774 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -0,0 +1,27 @@ +title: Remote Event Log Recon +id: 2053961f-44c7-4a64-b62d-f6e72800af0d +description: Detects remote RPC calls to get event log information via EVEN or EVEN6 +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://github.com/zeronetworks/rpcfirewall + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 82273fdc-e32a-18c3-3f78-827929dc23ea + - f6beaff7-1e19-4fbb-9f8f-b89e2018337c + condition: selection +falsepositives: + - remote administrative tasks on Windows Events +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml new file mode 100644 index 000000000..e6cf10772 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -0,0 +1,42 @@ +title: Remote Schedule Task Lateral Movement via ITaskSchedulerService +id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d +description: Detects remote RPC calls to create or execute a scheduled task +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' + +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c + OpNum: + - 1 + - 3 + - 4 + - 10 + - 11 + - 12 + - 13 + - 14 + - 15 + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml new file mode 100644 index 000000000..67ed17d74 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -0,0 +1,37 @@ +title: Remote Schedule Task Recon via ITaskSchedulerService +id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e +description: Detects remote RPC calls to read information about scheduled tasks +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c + filter: + OpNum: + - 1 + - 3 + - 4 + - 10 + - 11 + - 12 + - 13 + - 14 + - 15 + condition: selection and not filter +falsepositives: + - unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml new file mode 100644 index 000000000..123925f97 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -0,0 +1,34 @@ +title: Remote Printing Abuse for Lateral Movement +id: bc3a4b0c-e167-48e1-aa88-b3020950e560 +description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RPRN-PAR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 12345678-1234-abcd-ef00-0123456789ab + - 76f03f96-cdfd-44fc-a22c-64950a001209 + - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 + - ae33069b-a2a8-46ee-a235-ddfd339be281 + condition: selection +falsepositives: + - actual printing +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml new file mode 100644 index 000000000..ea909d4da --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -0,0 +1,37 @@ +title: Remote DCOM/WMI Lateral Movement +id: 68050b10-e477-4377-a99b-3721b422d6ef +description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://attack.mitre.org/techniques/T1021/003/ + - https://attack.mitre.org/techniques/T1047/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1021.003 + - attack.t1047 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 + - 99fcfec4-5260-101b-bbcb-00aa0021347a + - 000001a0-0000-0000-c000-000000000046 + - 00000131-0000-0000-c000-000000000046 + - 00000143-0000-0000-c000-000000000046 + - 00000000-0000-0000-c000-000000000046 + condition: selection +falsepositives: + - Some administrative tasks on remote host +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml new file mode 100644 index 000000000..d6c6eacab --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -0,0 +1,40 @@ +title: Remote Registry Lateral Movement +id: 35c55673-84ca-4e99-8d09-e334f3c29539 +description: Detects remote RPC calls to modify the registry and possible execute code +references: + - https://attack.mitre.org/techniques/T1112/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 + OpNum: + - 6 + - 7 + - 8 + - 13 + - 18 + - 19 + - 21 + - 22 + - 23 + - 35 + condition: selection +falsepositives: + - Remote administration of registry values +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml new file mode 100644 index 000000000..237e3d5ea --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -0,0 +1,38 @@ +title: Remote Registry Recon +id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8 +description: Detects remote RPC calls to collect information +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 + filter: + OpNum: + - 6 + - 7 + - 8 + - 13 + - 18 + - 19 + - 21 + - 22 + - 23 + - 35 + condition: selection and not filter +falsepositives: + - Remote administration of registry values +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml new file mode 100644 index 000000000..33edaab4b --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -0,0 +1,28 @@ +title: Remote Server Service Abuse +id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 + condition: selection +falsepositives: + - Legitimate remote share creation +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml new file mode 100644 index 000000000..10bdf7a1e --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -0,0 +1,30 @@ +title: Remote Server Service Abuse for Lateral Movement +id: 10018e73-06ec-46ec-8107-9172f1e04ff2 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://attack.mitre.org/techniques/T1569/002/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SCMR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1569.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003 + condition: selection +falsepositives: + - Administrative tasks on remote services +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml new file mode 100644 index 000000000..0e0151b04 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -0,0 +1,34 @@ +title: Remote Schedule Task Lateral Movement via SASec +id: aff229ab-f8cd-447b-b215-084d11e79eb0 +description: Detects remote RPC calls to create or execute a scheduled task via SASec +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f + OpNum: + - 0 + - 1 + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml new file mode 100644 index 000000000..aa28a4bc5 --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -0,0 +1,30 @@ +title: Remote Schedule Task Lateral Movement via SASec +id: 0a3ff354-93fc-4273-8a03-1078782de5b7 +description: Detects remote RPC calls to read information about scheduled tasks via SASec +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f + filter: + OpNum: + - 0 + - 1 + condition: selection and not filter +falsepositives: + - unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml new file mode 100644 index 000000000..dd9d1b6cd --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -0,0 +1,29 @@ +title: SharpHound Recon Account Discovery +id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5 +description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. +references: + - https://attack.mitre.org/techniques/T1087/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-WKST.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.t1087 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a + OpNum: 2 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml new file mode 100644 index 000000000..b2a92416a --- /dev/null +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -0,0 +1,29 @@ +title: SharpHound Recon Sessions +id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28 +description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. +references: + - https://attack.mitre.org/techniques/T1033/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.t1033 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 + OpNum: 12 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml similarity index 100% rename from rules/application/appframework_ruby_on_rails_exceptions.yml rename to rules/application/ruby/appframework_ruby_on_rails_exceptions.yml diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/spring/appframework_spring_exceptions.yml similarity index 100% rename from rules/application/appframework_spring_exceptions.yml rename to rules/application/spring/appframework_spring_exceptions.yml diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/sql/app_sqlinjection_errors.yml similarity index 100% rename from rules/application/app_sqlinjection_errors.yml rename to rules/application/sql/app_sqlinjection_errors.yml diff --git a/rules/apt/apt_silence_downloader_v3.yml b/rules/apt/apt_silence_downloader_v3.yml index faeea86db..0f5fba3e4 100644 --- a/rules/apt/apt_silence_downloader_v3.yml +++ b/rules/apt/apt_silence_downloader_v3.yml @@ -31,7 +31,6 @@ level: high tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one - attack.discovery - attack.t1057 - attack.t1082 diff --git a/rules/apt/apt_silence_eda.yml b/rules/apt/apt_silence_eda.yml index ad8aadcf9..8f4d5ef82 100644 --- a/rules/apt/apt_silence_eda.yml +++ b/rules/apt/apt_silence_eda.yml @@ -32,10 +32,8 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.command_and_control - attack.t1071.004 - - attack.t1071 # an old one - attack.t1572 - attack.impact - attack.t1529 diff --git a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml index 6d3e484db..965007fc9 100644 --- a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_config_disable_recording.yml b/rules/cloud/aws/aws_config_disable_recording.yml index 71ff54910..6a0d9e6a3 100644 --- a/rules/cloud/aws/aws_config_disable_recording.yml +++ b/rules/cloud/aws/aws_config_disable_recording.yml @@ -21,4 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_ec2_startup_script_change.yml b/rules/cloud/aws/aws_ec2_startup_script_change.yml index 1e8aa959c..b483c2036 100644 --- a/rules/cloud/aws/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/aws_ec2_startup_script_change.yml @@ -22,8 +22,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.t1059.003 - attack.t1059.004 - - attack.t1059 # an old one - - attack.t1064 # an old one diff --git a/rules/cloud/aws/aws_guardduty_disruption.yml b/rules/cloud/aws/aws_guardduty_disruption.yml index d7500a063..259414a9f 100644 --- a/rules/cloud/aws/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/aws_guardduty_disruption.yml @@ -21,4 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml index 2306c3222..14bbc35e5 100644 --- a/rules/cloud/aws/aws_root_account_usage.yml +++ b/rules/cloud/aws/aws_root_account_usage.yml @@ -22,4 +22,3 @@ level: medium tags: - attack.privilege_escalation - attack.t1078.004 - - attack.t1078 # an old one diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index 89030ee2d..9bc2d54c2 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -28,6 +28,5 @@ falsepositives: level: medium tags: - attack.s0003 - - attack.t1156 # an old one - attack.persistence - attack.t1546.004 diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 6d2657ca7..71ce7553c 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -28,5 +28,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.006 diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 8d2d96b09..0cc93ec67 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -19,6 +19,5 @@ falsepositives: - Admin activity level: medium tags: - - attack.t1136 # an old one - attack.t1136.001 - attack.persistence diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml new file mode 100644 index 000000000..fd3531e09 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -0,0 +1,28 @@ +title: CVE-2021-4034 Exploitation Attempt +id: 40a016ab-4f48-4eee-adde-bbf612695c53 +description: Detects exploitation attempt of vulnerability described in CVE-2021-4034. +author: 'Pawel Mazur' +status: experimental +date: 2022/01/27 +references: + - https://github.com/berdav/CVE-2021-4034 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 + - https://access.redhat.com/security/cve/CVE-2021-4034 +logsource: + product: linux + service: auditd +detection: + proctitle: + type: PROCTITLE + proctitle: '(null)' + syscall: + type: SYSCALL + comm: pkexec + exe: '/usr/bin/pkexec' + condition: proctitle and syscall +tags: + - attack.privilege_escalation + - attack.t1068 +falsepositives: + - unknown +level: high diff --git a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml new file mode 100644 index 000000000..14ee8b54b --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -0,0 +1,27 @@ +title: Disable System Firewall +id: 53059bc0-1472-438b-956a-7508a94a91f0 +status: experimental +description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. +author: 'Pawel Mazur' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md + - https://attack.mitre.org/techniques/T1562/004/ + - https://firewalld.org/documentation/man-pages/firewall-cmd.html +date: 2022/01/22 +logsource: + product: linux + service: auditd +detection: + service_stop: + type: 'SERVICE_STOP' + unit: + - 'firewalld' + - 'iptables' + - 'ufw' + condition: service_stop +falsepositives: + - Admin activity +level: high +tags: + - attack.t1562.004 + - attack.defense_evasion \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 018008956..028aac4f9 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.006 diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml index dfaa5a4ef..2b1d7f6cd 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml @@ -14,7 +14,6 @@ logsource: tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 # an old one - attack.t1548.003 - cve.2019.14287 detection: diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml index 96afaf522..160c8094b 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml @@ -18,7 +18,6 @@ logsource: tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 # an old one - attack.t1548.003 - cve.2019.14287 detection: diff --git a/rules/linux/file_create/lnx_doas_conf_creation.yml b/rules/linux/file_create/lnx_doas_conf_creation.yml new file mode 100644 index 000000000..11c4e0635 --- /dev/null +++ b/rules/linux/file_create/lnx_doas_conf_creation.yml @@ -0,0 +1,22 @@ +title: Linux Doas Conf File Creation +id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681 +status: stable +description: Detects the creation of doas.conf file in linux host platform. +references: + - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/ + - https://www.makeuseof.com/how-to-install-and-use-doas/ +author: Sittikorn S, Teoderick Contreras +date: 2022/01/20 +tags: + - attack.privilege_escalation + - attack.t1548 +logsource: + product: linux + category: file_create +detection: + selection: + TargetFilename|endswith: '/etc/doas.conf' + condition: selection +falsepositives: + - Unlikely +level: medium diff --git a/rules/linux/macos/process_creation/macos_create_account.yml b/rules/linux/macos/process_creation/macos_create_account.yml index b5e7862d9..573af8117 100644 --- a/rules/linux/macos/process_creation/macos_create_account.yml +++ b/rules/linux/macos/process_creation/macos_create_account.yml @@ -21,6 +21,5 @@ falsepositives: - Legitimate administration activities level: low tags: - - attack.t1136 # an old one - attack.t1136.001 - attack.persistence diff --git a/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml index 655b9528e..096cbe2e9 100644 --- a/rules/linux/other/lnx_security_tools_disabling_syslog.yml +++ b/rules/linux/other/lnx_security_tools_disabling_syslog.yml @@ -13,7 +13,6 @@ references: tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 # an old one logsource: product: linux service: syslog diff --git a/rules/linux/process_creation/lnx_doas_execution.yml b/rules/linux/process_creation/lnx_doas_execution.yml new file mode 100644 index 000000000..c47444781 --- /dev/null +++ b/rules/linux/process_creation/lnx_doas_execution.yml @@ -0,0 +1,22 @@ +title: Linux Doas Tool Execution +id: 067d8238-7127-451c-a9ec-fa78045b618b +status: stable +description: Detects the doas tool execution in linux host platform. +references: + - https://research.splunk.com/endpoint/linux_doas_tool_execution/ + - https://www.makeuseof.com/how-to-install-and-use-doas/ +author: Sittikorn S, Teoderick Contreras +date: 2022/01/20 +tags: + - attack.privilege_escalation + - attack.t1548 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/doas' + condition: selection +falsepositives: + - Unlikely +level: low diff --git a/rules/linux/process_creation/lnx_security_tools_disabling.yml b/rules/linux/process_creation/lnx_security_tools_disabling.yml index 56bc28af5..0455235a2 100644 --- a/rules/linux/process_creation/lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/lnx_security_tools_disabling.yml @@ -10,7 +10,6 @@ references: tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 # an old one logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/lnx_webshell_detection.yml b/rules/linux/process_creation/lnx_webshell_detection.yml index dcef68df3..89ed46e9a 100644 --- a/rules/linux/process_creation/lnx_webshell_detection.yml +++ b/rules/linux/process_creation/lnx_webshell_detection.yml @@ -8,7 +8,6 @@ date: 2021/10/15 author: Florian Roth tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 logsource: product: linux diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 2c261f2d9..2b1d1ff0d 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1146 # an old one - attack.t1070.003 diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index d7735944d..a3c03bf52 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -29,9 +29,6 @@ tags: - attack.discovery - attack.credential_access - attack.collection - - attack.t1087 # an old one - attack.t1087.001 - - attack.t1003 # an old one - - attack.t1081 # an old one - attack.t1552.001 - attack.t1005 diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index b3dfc8fc4..35510c62e 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -27,7 +27,5 @@ level: high tags: - attack.credential_access - attack.defense_evasion - - attack.t1130 # an old one - attack.t1553.004 - - attack.t1145 # an old one - attack.t1552.004 diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 510ec7346..d90b34743 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index fc0c76fa9..bdedcfc76 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -24,5 +24,4 @@ tags: - attack.impact - attack.t1495 - attack.t1529 - - attack.t1492 # an old one - attack.t1565.001 diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index 9849c2364..4e35a0dd1 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -23,9 +23,6 @@ level: medium tags: - attack.defense_evasion - attack.impact - - attack.t1107 # an old one - attack.t1070.004 - - attack.t1488 # an old one - attack.t1561.001 - - attack.t1487 # an old one - attack.t1561.002 diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index 27c70acec..bf429a053 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -22,5 +22,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1139 # an old one - attack.t1552.003 diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index 0a57541c9..4d579b008 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -21,6 +21,5 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 - attack.t1098 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index e1b6d7684..dffc9bced 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -30,7 +30,5 @@ tags: - attack.impact - attack.t1490 - attack.t1505 - - attack.t1493 # an old one - attack.t1565.002 - - attack.t1168 # an old one - attack.t1053 diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index a80bbfb5b..138a0f3d4 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -30,5 +30,4 @@ tags: - attack.exfiltration - attack.t1074 - attack.t1105 - - attack.t1002 # an old one - attack.t1560.001 diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 497ab0b5f..4d0edd9e0 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -19,8 +19,6 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 diff --git a/rules/network/net_firewall_high_dns_bytes_out.yml b/rules/network/net_firewall_high_dns_bytes_out.yml index afe5e839e..1b5e3bf9f 100644 --- a/rules/network/net_firewall_high_dns_bytes_out.yml +++ b/rules/network/net_firewall_high_dns_bytes_out.yml @@ -7,7 +7,6 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 logsource: category: firewall diff --git a/rules/network/net_firewall_high_dns_requests_rate.yml b/rules/network/net_firewall_high_dns_requests_rate.yml index 843c080a7..b57f3feca 100644 --- a/rules/network/net_firewall_high_dns_requests_rate.yml +++ b/rules/network/net_firewall_high_dns_requests_rate.yml @@ -7,10 +7,8 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: category: firewall diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml index 193bfcdff..86cd973f6 100644 --- a/rules/network/net_high_dns_bytes_out.yml +++ b/rules/network/net_high_dns_bytes_out.yml @@ -7,7 +7,6 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 logsource: category: dns diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml index da8727716..20dd6a519 100644 --- a/rules/network/net_high_dns_requests_rate.yml +++ b/rules/network/net_high_dns_requests_rate.yml @@ -7,10 +7,8 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: category: dns diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml index e8166edca..a5e92db2e 100644 --- a/rules/network/net_high_null_records_requests_rate.yml +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -17,8 +17,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml index fac27dab9..95c2ea626 100644 --- a/rules/network/net_high_txt_records_requests_rate.yml +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -17,8 +17,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index d07c4f8ab..a7c46dd46 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index c235127de..76cbf9663 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -18,8 +18,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 9ea3d56d2..91533cedc 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_telegram_api.yml b/rules/network/net_susp_telegram_api.yml index 4e813ed87..b37de31a3 100644 --- a/rules/network/net_susp_telegram_api.yml +++ b/rules/network/net_susp_telegram_api.yml @@ -21,5 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1102 # an old one - attack.t1102.002 \ No newline at end of file diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index 316835f92..efe93efe0 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -9,7 +9,6 @@ date: 2020/05/03 modified: 2021/11/14 tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 - attack.t1082 logsource: diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index b586d3831..568d8a0f6 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -48,8 +48,6 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1035 # an old one - attack.t1047 - - attack.t1053 # an old one - attack.t1053.002 - attack.t1569.002 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 4621e4f36..d9dfdcfbc 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -36,5 +36,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1004 # an old one - attack.t1547.004 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 4b80f9055..87868b483 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -12,7 +12,6 @@ logsource: service: dns product: zeek tags: - - attack.t1035 # an old one - attack.t1569.002 - attack.t1496 detection: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 06b8a5801..0e6a8c2e1 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -11,9 +11,8 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' tags: - - attack.t1094 # an old one - attack.t1095 - - attack.t1043 + - attack.t1571 - attack.command_and_control logsource: product: zeek diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 8b2f1a02f..1f41a07f9 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -5,7 +5,6 @@ description: Detects connections from routable IPs to an RDP listener - which is references: - https://attack.mitre.org/techniques/T1021/001/ tags: - - attack.t1021 # an old one - attack.t1021.001 author: 'Josh Brower @DefensiveDepth' date: 2020/08/22 diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 7451b3b31..952010ffb 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -22,7 +22,6 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1053 # an old one - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 98ad4d204..f0b7975ae 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -23,7 +23,6 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 74f765b4a..e9b886aa5 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -39,5 +39,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 13162d6a0..2093f2dfd 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -30,5 +30,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 848b04118..ed9fc8db2 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -27,7 +27,6 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 5b2517060..173944db0 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -22,5 +22,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1208 # an old one - attack.t1558.003 diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index 56869f0ef..ad78cd5f8 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -23,7 +23,5 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.exfiltration - attack.t1567.002 - - attack.t1048 # an old one diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 65b74bef3..eea3ebbfc 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -23,4 +23,3 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 46d5fcc7f..7301303a0 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -30,4 +30,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one + \ No newline at end of file diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index a3b19690c..43553af44 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -25,4 +25,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index 4c45e33c7..01d606b57 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 6ceee22b7..e3e605417 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -25,4 +25,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 739a09478..f5374e960 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -113,4 +113,3 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index d30f7d32b..268fd3abb 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -62,4 +62,3 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index d797c734d..a619b015a 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -27,4 +27,3 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml index a36a0909f..7f027bfb2 100644 --- a/rules/proxy/proxy_empire_ua_uri_combos.yml +++ b/rules/proxy/proxy_empire_ua_uri_combos.yml @@ -28,4 +28,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index ab89ee9ef..a86801b78 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -30,4 +30,3 @@ tags: - attack.credential_access - attack.t1528 - attack.t1552.001 - - attack.t1081 # an old one diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml index 42813f313..d9b6569a2 100644 --- a/rules/proxy/proxy_pwndrop.yml +++ b/rules/proxy/proxy_pwndrop.yml @@ -23,7 +23,5 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.001 - attack.t1102.003 - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index b731474b6..9135f5e4c 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -27,8 +27,6 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.001 - attack.t1102.003 - attack.defense_evasion - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index a12c9e45d..3277e1224 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -24,7 +24,5 @@ tags: - attack.t1189 - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index c961ec2c9..c8803a0a1 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -32,6 +32,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.002 - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index 2f97ae7da..41b3aa242 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -20,5 +20,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.g0010 diff --git a/rules/proxy/proxy_ursnif_malware_c2_url.yml b/rules/proxy/proxy_ursnif_malware_c2_url.yml index d9f0aa5df..c0068e710 100644 --- a/rules/proxy/proxy_ursnif_malware_c2_url.yml +++ b/rules/proxy/proxy_ursnif_malware_c2_url.yml @@ -30,9 +30,7 @@ level: critical tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.command_and_control - attack.t1071.001 diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index e2fe9853d..a7c208d46 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -18,5 +18,4 @@ falsepositives: level: high tags: - attack.impact - - attack.t1499 # an old one - attack.t1499.004 diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index 0ca683c20..40b443f54 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -21,7 +21,6 @@ falsepositives: - Unknown level: critical tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - attack.persistence diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index e2715da28..ad25c59e9 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -24,7 +24,6 @@ falsepositives: - Unknown level: high tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - cve.2020.14882 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index 5663b39d8..98eb7aa2e 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -30,7 +30,6 @@ falsepositives: - Unknown level: high tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - cve.2020.3452 \ No newline at end of file diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index 34e6786a6..7a66f2a83 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -24,5 +24,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index b51f2b830..b96d0af9f 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -10,7 +10,6 @@ date: 2021/03/03 modified: 2021/08/09 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - attack.collection - attack.t1114 diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index 7dc07c128..7e38813c7 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -33,5 +33,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/builtin/application/win_susp_backup_delete.yml b/rules/windows/builtin/application/win_susp_backup_delete.yml index b7b91a54c..48063418f 100644 --- a/rules/windows/builtin/application/win_susp_backup_delete.yml +++ b/rules/windows/builtin/application/win_susp_backup_delete.yml @@ -10,7 +10,6 @@ date: 2017/05/12 modified: 2021/10/13 tags: - attack.defense_evasion - - attack.t1107 # an old one - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml index a128d21dc..e5e4e8d67 100644 --- a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml @@ -3,7 +3,6 @@ id: 6c82cf5c-090d-4d57-9188-533577631108 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1211 - attack.t1562.001 status: experimental diff --git a/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml similarity index 88% rename from rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml rename to rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml index 1e14e667d..9e28f7ab9 100644 --- a/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -32,10 +32,6 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1086 # an old one - - attack.t1064 # an old one - - attack.t1204 # an old one - - attack.t1035 # an old one - attack.t1204.002 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml new file mode 100644 index 000000000..69d0d3b0f --- /dev/null +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml @@ -0,0 +1,20 @@ +title: Code Integrity Blocked Driver Load +id: f8931561-97f5-4c46-907f-0a4a592e47a7 +description: Detects driver load events that got blocked by Windows code integrity checks +author: Florian Roth +status: experimental +references: + - https://twitter.com/SBousseaden/status/1483810148602814466 +date: 2022/01/20 +tags: + - attack.execution +logsource: + product: windows + service: codeintegrity-operational +detection: + keywords: + - 'that did not meet the Microsoft signing level requirements' + condition: keywords +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/other/dns_server/win_apt_gallium.yml b/rules/windows/builtin/dns_server/win_apt_gallium.yml similarity index 100% rename from rules/windows/other/dns_server/win_apt_gallium.yml rename to rules/windows/builtin/dns_server/win_apt_gallium.yml diff --git a/rules/windows/other/dns_server/win_susp_dns_config.yml b/rules/windows/builtin/dns_server/win_susp_dns_config.yml similarity index 94% rename from rules/windows/other/dns_server/win_susp_dns_config.yml rename to rules/windows/builtin/dns_server/win_susp_dns_config.yml index 6254caca7..9a90fb155 100644 --- a/rules/windows/other/dns_server/win_susp_dns_config.yml +++ b/rules/windows/builtin/dns_server/win_susp_dns_config.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/other/driverframeworks/win_usb_device_plugged.yml b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml similarity index 100% rename from rules/windows/other/driverframeworks/win_usb_device_plugged.yml rename to rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml diff --git a/rules/windows/other/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml similarity index 100% rename from rules/windows/other/ldap/win_ldap_recon.yml rename to rules/windows/builtin/ldap/win_ldap_recon.yml diff --git a/rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml b/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml rename to rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml rename to rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml rename to rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml rename to rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml diff --git a/rules/windows/other/msexchange/win_exchange_transportagent.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_transportagent.yml rename to rules/windows/builtin/msexchange/win_exchange_transportagent.yml diff --git a/rules/windows/other/msexchange/win_exchange_transportagent_failed.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_transportagent_failed.yml rename to rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml diff --git a/rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/msexchange/win_set_oabvirtualdirectory_externalurl.yml similarity index 100% rename from rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml rename to rules/windows/builtin/msexchange/win_set_oabvirtualdirectory_externalurl.yml diff --git a/rules/windows/other/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml similarity index 94% rename from rules/windows/other/ntlm/win_susp_ntlm_auth.yml rename to rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml index 256ba6ea8..f6eb146e2 100644 --- a/rules/windows/other/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml @@ -10,7 +10,6 @@ date: 2018/06/08 modified: 2021/11/20 tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/other/ntlm/win_susp_ntlm_rdp.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml similarity index 100% rename from rules/windows/other/ntlm/win_susp_ntlm_rdp.yml rename to rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml diff --git a/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml similarity index 100% rename from rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml rename to rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml diff --git a/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml similarity index 100% rename from rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml rename to rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml diff --git a/rules/windows/builtin/security/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml index 017048ad8..c5798b2c3 100644 --- a/rules/windows/builtin/security/win_account_discovery.yml +++ b/rules/windows/builtin/security/win_account_discovery.yml @@ -5,7 +5,6 @@ references: - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 status: experimental author: Samir Bousseaden diff --git a/rules/windows/builtin/security/win_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_ad_object_writedac_access.yml index 779fe0302..2f3e22891 100644 --- a/rules/windows/builtin/security/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/security/win_ad_object_writedac_access.yml @@ -24,5 +24,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1222 # an old one - attack.t1222.001 diff --git a/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml index f87dba3b8..c67999e5b 100644 --- a/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml @@ -31,5 +31,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.006 diff --git a/rules/windows/builtin/security/win_ad_user_enumeration.yml b/rules/windows/builtin/security/win_ad_user_enumeration.yml index 85a1ac967..37a865e95 100644 --- a/rules/windows/builtin/security/win_ad_user_enumeration.yml +++ b/rules/windows/builtin/security/win_ad_user_enumeration.yml @@ -11,7 +11,6 @@ references: - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_admin_rdp_login.yml b/rules/windows/builtin/security/win_admin_rdp_login.yml index 1ff0216df..a2186be2b 100644 --- a/rules/windows/builtin/security/win_admin_rdp_login.yml +++ b/rules/windows/builtin/security/win_admin_rdp_login.yml @@ -5,7 +5,6 @@ references: - https://car.mitre.org/wiki/CAR-2016-04-005 tags: - attack.lateral_movement - - attack.t1078 # an old one - attack.t1078.001 - attack.t1078.002 - attack.t1078.003 diff --git a/rules/windows/builtin/security/win_admin_share_access.yml b/rules/windows/builtin/security/win_admin_share_access.yml index fd78ca8a7..3d8dc32ec 100644 --- a/rules/windows/builtin/security/win_admin_share_access.yml +++ b/rules/windows/builtin/security/win_admin_share_access.yml @@ -21,5 +21,4 @@ falsepositives: level: low tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml index ab46a0015..5667e9467 100644 --- a/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml @@ -86,5 +86,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/builtin/security/win_alert_ruler.yml b/rules/windows/builtin/security/win_alert_ruler.yml index 071c57705..94c382c2f 100644 --- a/rules/windows/builtin/security/win_alert_ruler.yml +++ b/rules/windows/builtin/security/win_alert_ruler.yml @@ -15,7 +15,6 @@ tags: - attack.discovery - attack.execution - attack.t1087 - - attack.t1075 # an old one - attack.t1114 - attack.t1059 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml index b1b621bcf..5843d6bf9 100644 --- a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml +++ b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml @@ -10,15 +10,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 diff --git a/rules/windows/builtin/security/win_apt_wocao.yml b/rules/windows/builtin/security/win_apt_wocao.yml index fc8011516..8dcb9b26c 100644 --- a/rules/windows/builtin/security/win_apt_wocao.yml +++ b/rules/windows/builtin/security/win_apt_wocao.yml @@ -11,13 +11,10 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1036.004 - - attack.t1036 # an old one - attack.t1027 - attack.execution - attack.t1053.005 - - attack.t1053 # an old one - attack.t1059.001 - - attack.t1086 # an old one date: 2019/12/20 modified: 2021/09/19 logsource: diff --git a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml index 086feb2b2..252c8334c 100644 --- a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml @@ -9,7 +9,6 @@ references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: - attack.t1204 - - attack.t1193 # an old one - attack.t1566.001 - attack.execution - attack.initial_access diff --git a/rules/windows/builtin/security/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml index e0caff9b4..f45c6c860 100644 --- a/rules/windows/builtin/security/win_atsvc_task.yml +++ b/rules/windows/builtin/security/win_atsvc_task.yml @@ -24,7 +24,6 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1053 # an old one - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 diff --git a/rules/windows/builtin/security/win_dcsync.yml b/rules/windows/builtin/security/win_dcsync.yml index 70ec081b7..1c4d3086e 100644 --- a/rules/windows/builtin/security/win_dcsync.yml +++ b/rules/windows/builtin/security/win_dcsync.yml @@ -11,7 +11,6 @@ references: tags: - attack.credential_access - attack.s0002 - - attack.t1003 # an old one - attack.t1003.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_defender_bypass.yml b/rules/windows/builtin/security/win_defender_bypass.yml index 46345954a..a0196d1db 100644 --- a/rules/windows/builtin/security/win_defender_bypass.yml +++ b/rules/windows/builtin/security/win_defender_bypass.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/builtin/security/win_disable_event_logging.yml b/rules/windows/builtin/security/win_disable_event_logging.yml index 9f3b32e5c..1975bc806 100644 --- a/rules/windows/builtin/security/win_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_disable_event_logging.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.002 diff --git a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml index bf6c020e3..57ecd7d68 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml @@ -22,5 +22,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml index 07159fd3f..919d985b3 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_event_log_cleared.yml b/rules/windows/builtin/security/win_event_log_cleared.yml index 26deafd02..3bb242439 100644 --- a/rules/windows/builtin/security/win_event_log_cleared.yml +++ b/rules/windows/builtin/security/win_event_log_cleared.yml @@ -12,7 +12,6 @@ logsource: service: security product: windows tags: - - attack.t1107 # an old one - attack.t1070.001 detection: selection: diff --git a/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml index 5bd709c7d..6659a8c0c 100644 --- a/rules/windows/builtin/security/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/security/win_global_catalog_enumeration.yml @@ -9,7 +9,6 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml index ab7dfd2d3..031277636 100644 --- a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml @@ -27,5 +27,4 @@ level: high tags: - attack.persistence - attack.lateral_movement - - attack.t1053 # an old one - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml index 798069d92..312355ab0 100644 --- a/rules/windows/builtin/security/win_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_impacket_secretdump.yml @@ -9,7 +9,6 @@ references: - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml index acf2eb16b..a5a4abc1d 100644 --- a/rules/windows/builtin/security/win_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_lm_namedpipe.yml @@ -42,5 +42,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml index d1157daf3..0fd9ca77a 100644 --- a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_metasploit_authentication.yml b/rules/windows/builtin/security/win_metasploit_authentication.yml index a74b3aa9d..2addf4d35 100644 --- a/rules/windows/builtin/security/win_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_metasploit_authentication.yml @@ -9,7 +9,6 @@ references: - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml index 5fc1af96f..731069c17 100644 --- a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml @@ -12,7 +12,6 @@ date: 2018/03/20 modified: 2021/06/27 tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 # Windows Security Eventlog: Process Creation with Full Command Line diff --git a/rules/windows/file_event/win_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml similarity index 91% rename from rules/windows/file_event/win_net_share_obj_susp_desktop_ini.yml rename to rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml index 585fa2ff6..989b884e6 100755 --- a/rules/windows/file_event/win_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml @@ -6,10 +6,10 @@ author: Tim Shelton (HAWK.IO) references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2021/12/06 -modified: 2021/12/06 +modified: 2022/01/16 logsource: product: windows - category: security + service: security detection: selection: EventID: 5145 @@ -27,5 +27,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1023 # an old one - attack.t1547.009 diff --git a/rules/windows/builtin/security/win_not_allowed_rdp_access.yml b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml index 7b48f7705..8f200780d 100644 --- a/rules/windows/builtin/security/win_not_allowed_rdp_access.yml +++ b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml @@ -23,5 +23,4 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1076 # an old one - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_overpass_the_hash.yml b/rules/windows/builtin/security/win_overpass_the_hash.yml index a123ed2be..60edc2213 100644 --- a/rules/windows/builtin/security/win_overpass_the_hash.yml +++ b/rules/windows/builtin/security/win_overpass_the_hash.yml @@ -22,6 +22,5 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.s0002 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_pass_the_hash.yml b/rules/windows/builtin/security/win_pass_the_hash.yml index ca9d3f39c..ca13aa9cf 100644 --- a/rules/windows/builtin/security/win_pass_the_hash.yml +++ b/rules/windows/builtin/security/win_pass_the_hash.yml @@ -29,6 +29,5 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1075 # an old one - car.2016-04-004 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_pass_the_hash_2.yml b/rules/windows/builtin/security/win_pass_the_hash_2.yml index f70a26051..0fdadb4a1 100644 --- a/rules/windows/builtin/security/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/win_pass_the_hash_2.yml @@ -10,7 +10,6 @@ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) date: 2019/06/14 tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_protected_storage_service_access.yml b/rules/windows/builtin/security/win_protected_storage_service_access.yml index 29cea968c..006a8a330 100644 --- a/rules/windows/builtin/security/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/security/win_protected_storage_service_access.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.lateral_movement - - attack.t1021 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_rare_schtasks_creations.yml b/rules/windows/builtin/security/win_rare_schtasks_creations.yml index 4e25bed94..25a7a93ae 100644 --- a/rules/windows/builtin/security/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/security/win_rare_schtasks_creations.yml @@ -22,6 +22,5 @@ tags: - attack.execution - attack.privilege_escalation - attack.persistence - - attack.t1053 # an old one - car.2013-08-001 - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml index f6ddb6e44..26c9954fd 100644 --- a/rules/windows/builtin/security/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml @@ -7,7 +7,6 @@ date: 2019/01/28 modified: 2021/07/07 tags: - attack.lateral_movement - - attack.t1076 # an old one - car.2013-07-002 - attack.t1021.001 status: experimental diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index c56e62128..5f127ce93 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -12,8 +12,6 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.lateral_movement - - attack.t1076 # an old one - - attack.t1090 # an old one - attack.t1090.001 - attack.t1090.002 - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml index 9f5b22151..05f1fe83e 100644 --- a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml @@ -7,7 +7,6 @@ references: tags: - attack.lateral_movement - attack.privilege_escalation - - attack.t1208 # an old one - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 diff --git a/rules/windows/builtin/security/win_remote_powershell_session.yml b/rules/windows/builtin/security/win_remote_powershell_session.yml index 3de3b459a..0fd7f3726 100644 --- a/rules/windows/builtin/security/win_remote_powershell_session.yml +++ b/rules/windows/builtin/security/win_remote_powershell_session.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_scheduled_task_deletion.yml index 9150ab1a9..865a9c845 100644 --- a/rules/windows/builtin/security/win_scheduled_task_deletion.yml +++ b/rules/windows/builtin/security/win_scheduled_task_deletion.yml @@ -7,7 +7,6 @@ date: 2021/01/22 tags: - attack.execution - attack.privilege_escalation - - attack.t1053 # an old one - car.2013-08-001 - attack.t1053.005 references: diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index d311d40f9..ca29a8a52 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -13,13 +13,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml index 3f798a692..b3b0a67c2 100644 --- a/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -16,8 +16,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1003 - - attack.t1035 # an old one - - attack.t1050 # an old one - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 17df9ffed..aa946c489 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -13,7 +13,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 514a0ca97..900c55750 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -14,7 +14,6 @@ references: tags: - attack.persistence - attack.privilege_escalation - - attack.t1084 # an old one - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_add_sid_history.yml b/rules/windows/builtin/security/win_susp_add_sid_history.yml index 9f0b7fae5..60d809e44 100644 --- a/rules/windows/builtin/security/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_susp_add_sid_history.yml @@ -9,7 +9,6 @@ date: 2017/02/19 tags: - attack.persistence - attack.privilege_escalation - - attack.t1178 # an old one - attack.t1134.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml index d2f352e6a..78d011da9 100644 --- a/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml @@ -7,7 +7,6 @@ date: 2019/12/03 modified: 2020/08/23 tags: - attack.defense_evasion - - attack.t1009 # an old one - attack.t1027.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_eventlog_cleared.yml b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml index 47b1592f9..40a1bd711 100644 --- a/rules/windows/builtin/security/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml @@ -13,7 +13,6 @@ date: 2017/01/10 modified: 2022/01/07 tags: - attack.defense_evasion - - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml index 3084f30bb..c38a5a2f0 100644 --- a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml +++ b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml @@ -25,6 +25,5 @@ falsepositives: - Companies, who may use these default LDAP-Attributes for personal information level: high tags: - - attack.t1071 # an old one - attack.t1001.003 - attack.command_and_control diff --git a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml index ec3eaac7c..d44cab80b 100644 --- a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml @@ -9,7 +9,6 @@ date: 2019/10/31 modified: 2021/07/06 tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 - attack.t1136.002 logsource: diff --git a/rules/windows/builtin/security/win_susp_lsass_dump.yml b/rules/windows/builtin/security/win_susp_lsass_dump.yml index 8da6d3706..9046f32d1 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump.yml @@ -9,7 +9,6 @@ references: - https://twitter.com/jackcr/status/807385668833968128 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 6e367a645..af746fc30 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -10,7 +10,6 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - - attack.t1003 # an old one - car.2019-04-004 - attack.t1003.001 logsource: diff --git a/rules/windows/builtin/security/win_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_susp_net_recon_activity.yml index 380774c5e..d4fd16e68 100644 --- a/rules/windows/builtin/security/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/security/win_susp_net_recon_activity.yml @@ -30,8 +30,6 @@ falsepositives: level: high tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 - - attack.t1069 # an old one - attack.t1069.002 - attack.s0039 diff --git a/rules/windows/builtin/security/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml index 5377a73ab..2934d2fcf 100644 --- a/rules/windows/builtin/security/win_susp_psexec.yml +++ b/rules/windows/builtin/security/win_susp_psexec.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml index 91d3b5b1e..3f7576a13 100644 --- a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml @@ -6,7 +6,6 @@ references: - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity tags: - attack.credential_access - - attack.t1208 # an old one - attack.t1558.003 description: Detects service ticket requests using RC4 encryption type author: Florian Roth diff --git a/rules/windows/builtin/security/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml index 1fd50a283..b685533d3 100644 --- a/rules/windows/builtin/security/win_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/win_susp_rottenpotato.yml @@ -10,7 +10,6 @@ modified: 2021/07/07 tags: - attack.privilege_escalation - attack.credential_access - - attack.t1171 # an old one - attack.t1557.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_sdelete.yml b/rules/windows/builtin/security/win_susp_sdelete.yml index a01737771..d53bd9789 100644 --- a/rules/windows/builtin/security/win_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_susp_sdelete.yml @@ -28,9 +28,7 @@ level: medium tags: - attack.impact - attack.defense_evasion - - attack.t1107 # an old one - attack.t1070.004 - - attack.t1066 # an old one - attack.t1027.005 - attack.t1485 - attack.t1553.002 diff --git a/rules/windows/builtin/security/win_susp_time_modification.yml b/rules/windows/builtin/security/win_susp_time_modification.yml index d518bd8a7..73052f65d 100644 --- a/rules/windows/builtin/security/win_susp_time_modification.yml +++ b/rules/windows/builtin/security/win_susp_time_modification.yml @@ -29,5 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1099 # an old one - attack.t1070.006 diff --git a/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml index a7df9e611..8f331063c 100644 --- a/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml @@ -26,5 +26,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1208 # an old one - attack.t1558.003 diff --git a/rules/windows/builtin/security/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml index af7b98f47..433ea4c5b 100644 --- a/rules/windows/builtin/security/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_svcctl_remote_service.yml @@ -24,5 +24,4 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml index f8b084ce8..75bd3074c 100644 --- a/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml index 56f6374f0..210553bf3 100644 --- a/rules/windows/builtin/security/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml @@ -5,7 +5,7 @@ description: This rule triggers on user accounts that are added to the local Adm status: stable author: Florian Roth date: 2017/03/14 -modified: 2021/11/30 +modified: 2021/01/17 tags: - attack.privilege_escalation - attack.t1078 @@ -16,7 +16,7 @@ logsource: service: security detection: selection: - provider_Name: Microsoft-Windows-Security-Auditing + Provider_Name: Microsoft-Windows-Security-Auditing EventID: 4732 selection_group1: TargetUserName|startswith: 'Administr' diff --git a/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index f243911f0..45242a31d 100644 --- a/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -7,7 +7,6 @@ references: tags: - attack.lateral_movement - attack.privilege_escalation - - attack.t1208 # an old one - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 diff --git a/rules/windows/builtin/security/win_user_creation.yml b/rules/windows/builtin/security/win_user_creation.yml index 9a6bfb0c4..a16ebf7a9 100644 --- a/rules/windows/builtin/security/win_user_creation.yml +++ b/rules/windows/builtin/security/win_user_creation.yml @@ -6,13 +6,13 @@ author: Patrick Bareiss references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ date: 2019/04/18 -modified: 2021/11/30 +modified: 2021/01/17 logsource: product: windows service: security detection: selection: - provider_Name: Microsoft-Windows-Security-Auditing + Provider_Name: Microsoft-Windows-Security-Auditing EventID: 4720 condition: selection fields: @@ -25,5 +25,4 @@ falsepositives: level: low tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_user_driver_loaded.yml b/rules/windows/builtin/security/win_user_driver_loaded.yml index 98e247108..45b5f6218 100644 --- a/rules/windows/builtin/security/win_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_user_driver_loaded.yml @@ -36,6 +36,5 @@ falsepositives: - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' level: medium tags: - - attack.t1089 # an old one - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml similarity index 100% rename from rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml rename to rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml diff --git a/rules/windows/other/smbclient/win_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml similarity index 100% rename from rules/windows/other/smbclient/win_susp_failed_guest_logon.yml rename to rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml diff --git a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml index 189973a8a..1cb7b91a1 100755 --- a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml @@ -25,5 +25,4 @@ level: high tags: - attack.persistence - attack.g0010 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml index 47cf659f1..d196830fe 100644 --- a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml +++ b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml @@ -7,15 +7,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/11/30 diff --git a/rules/windows/builtin/system/win_apt_stonedrill.yml b/rules/windows/builtin/system/win_apt_stonedrill.yml index d85d40dc3..3d5ba49bf 100755 --- a/rules/windows/builtin/system/win_apt_stonedrill.yml +++ b/rules/windows/builtin/system/win_apt_stonedrill.yml @@ -23,5 +23,4 @@ level: high tags: - attack.persistence - attack.g0064 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_apt_turla_service_png.yml index 9c9a8a47c..1552f94a4 100644 --- a/rules/windows/builtin/system/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/system/win_apt_turla_service_png.yml @@ -22,5 +22,4 @@ level: critical tags: - attack.persistence - attack.g0010 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_hack_smbexec.yml b/rules/windows/builtin/system/win_hack_smbexec.yml index c733d9db6..cf1168712 100644 --- a/rules/windows/builtin/system/win_hack_smbexec.yml +++ b/rules/windows/builtin/system/win_hack_smbexec.yml @@ -27,7 +27,5 @@ level: critical tags: - attack.lateral_movement - attack.execution - - attack.t1077 # an old one - attack.t1021.002 - - attack.t1035 # an old one - attack.t1569.002 diff --git a/rules/windows/builtin/system/win_mal_creddumper.yml b/rules/windows/builtin/system/win_mal_creddumper.yml index 93f1da11a..fcd6b5124 100644 --- a/rules/windows/builtin/system/win_mal_creddumper.yml +++ b/rules/windows/builtin/system/win_mal_creddumper.yml @@ -10,13 +10,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index e37714662..9a66aa229 100644 --- a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -4,13 +4,12 @@ description: Detects the use of getsystem Meterpreter/Cobalt Strike command by d status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2021/11/30 +modified: 2022/01/16 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: @@ -44,6 +43,7 @@ detection: - 'rundll32' - '.dll,a' - '/p:' + - ImagePath|startswith: '\\127.0.0.1\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en condition: selection_id and selection fields: - ComputerName diff --git a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml index b4604cec8..7e4c1b7cc 100644 --- a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml @@ -19,5 +19,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/builtin/system/win_rare_service_installs.yml b/rules/windows/builtin/system/win_rare_service_installs.yml index 5d8565399..045d35b73 100644 --- a/rules/windows/builtin/system/win_rare_service_installs.yml +++ b/rules/windows/builtin/system/win_rare_service_installs.yml @@ -21,6 +21,5 @@ level: low tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - car.2013-09-005 - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_susp_dhcp_config.yml index 8b5b0feb5..43daa66bb 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config.yml @@ -11,7 +11,6 @@ modified: 2021/10/13 author: Dimitrios Slamaris tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml index b6235d1e0..1a1d87fbd 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml @@ -10,7 +10,6 @@ date: 2017/05/15 modified: 2021/10/13 tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 author: 'Dimitrios Slamaris, @atc_project (fix)' logsource: diff --git a/rules/windows/builtin/system/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_susp_sam_dump.yml index ad4617a57..15cb35d23 100644 --- a/rules/windows/builtin/system/win_susp_sam_dump.yml +++ b/rules/windows/builtin/system/win_susp_sam_dump.yml @@ -21,5 +21,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml index 6ce32b306..114e701d5 100644 --- a/rules/windows/builtin/system/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/win_system_defender_disabled.yml @@ -13,7 +13,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml index 84e9d3330..bac81ee27 100644 --- a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml @@ -15,7 +15,6 @@ date: 2017/01/10 modified: 2022/01/07 tags: - attack.defense_evasion - - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/system/win_tool_psexec.yml b/rules/windows/builtin/system/win_tool_psexec.yml index 3528eaae2..d54e00e74 100644 --- a/rules/windows/builtin/system/win_tool_psexec.yml +++ b/rules/windows/builtin/system/win_tool_psexec.yml @@ -10,7 +10,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml similarity index 94% rename from rules/windows/other/taskscheduler/win_rare_schtask_creation.yml rename to rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index dd4e9f6c5..363596a2f 100644 --- a/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -21,6 +21,5 @@ falsepositives: level: low tags: - attack.persistence - - attack.t1053 # an old one - attack.s0111 - attack.t1053.005 diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 2de4b87d0..a4d6f2a09 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -9,7 +9,6 @@ references: - https://tools.thehacker.recipes/mimikatz/modules tags: - attack.s0002 - - attack.t1003 # an old one - attack.lateral_movement - attack.credential_access - car.2013-07-001 diff --git a/rules/windows/other/windefend/win_alert_lsass_access.yml b/rules/windows/builtin/windefend/win_alert_lsass_access.yml similarity index 96% rename from rules/windows/other/windefend/win_alert_lsass_access.yml rename to rules/windows/builtin/windefend/win_alert_lsass_access.yml index 0aef6a5d1..035db4d79 100644 --- a/rules/windows/other/windefend/win_alert_lsass_access.yml +++ b/rules/windows/builtin/windefend/win_alert_lsass_access.yml @@ -9,7 +9,6 @@ date: 2018/08/26 modified: 2021/11/13 tags: - attack.credential_access - - attack.t1003 # an old one # Defender Attack Surface Reduction - attack.t1003.001 logsource: diff --git a/rules/windows/other/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_amsi_trigger.yml rename to rules/windows/builtin/windefend/win_defender_amsi_trigger.yml diff --git a/rules/windows/other/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml similarity index 93% rename from rules/windows/other/windefend/win_defender_disabled.yml rename to rules/windows/builtin/windefend/win_defender_disabled.yml index 14063f75e..0d6dbae81 100644 --- a/rules/windows/other/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -10,7 +10,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml similarity index 93% rename from rules/windows/other/windefend/win_defender_exclusions.yml rename to rules/windows/builtin/windefend/win_defender_exclusions.yml index 3f31c3b69..b573e8111 100644 --- a/rules/windows/other/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -9,7 +9,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_history_delete.yml rename to rules/windows/builtin/windefend/win_defender_history_delete.yml diff --git a/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml b/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml similarity index 97% rename from rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml rename to rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml index 07d2196e8..4dbf4c800 100644 --- a/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml +++ b/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml @@ -12,7 +12,6 @@ tags: - attack.execution - attack.lateral_movement - attack.t1047 - - attack.t1035 # an old one - attack.t1569.002 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml similarity index 91% rename from rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml rename to rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 0eeb90cc1..69ea17366 100644 --- a/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -8,7 +8,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 falsepositives: - Administrator actions diff --git a/rules/windows/other/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_threat.yml rename to rules/windows/builtin/windefend/win_defender_threat.yml diff --git a/rules/windows/other/wmi/win_wmi_persistence.yml b/rules/windows/builtin/wmi/win_wmi_persistence.yml similarity index 95% rename from rules/windows/other/wmi/win_wmi_persistence.yml rename to rules/windows/builtin/wmi/win_wmi_persistence.yml index dcb47caef..9aa85c5f2 100644 --- a/rules/windows/other/wmi/win_wmi_persistence.yml +++ b/rules/windows/builtin/wmi/win_wmi_persistence.yml @@ -11,7 +11,6 @@ references: tags: - attack.persistence - attack.privilege_escalation - - attack.t1084 # an old one - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 8b6e3dee2..1bc41f106 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -24,10 +24,8 @@ detection: condition: selection tags: - attack.defense_evasion - - attack.t1093 # an old one - attack.t1055.012 - attack.execution - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.007 - attack.t1218.005 diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index 94a3f1c7e..02934f765 100644 --- a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -6,7 +6,6 @@ references: - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - attack.defense_evasion - - attack.t1055 # an old one - attack.t1055.001 status: experimental author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 04829d335..041904e8b 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -20,5 +20,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1055 # an old one - attack.t1055.001 diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml index fbdb2e081..958d88cea 100644 --- a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -17,7 +17,6 @@ detection: condition: selection tags: - attack.credential_access - - attack.t1003 # an old one - attack.s0005 - attack.t1003.001 falsepositives: diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index 081bd0b01..b9e029f91 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -18,9 +18,7 @@ detection: tags: - attack.defense_evasion - attack.execution - - attack.t1085 # an old one - attack.t1218.011 - - attack.t1086 # an old one - attack.t1059.001 falsepositives: - Unknown diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index e8b7a5b87..dffb1092d 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -25,6 +25,5 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1027 # an old one - attack.s0139 - attack.t1564.004 diff --git a/rules/windows/deprecated/powershell_suspicious_download.yml b/rules/windows/deprecated/powershell_suspicious_download.yml index 72d831a05..dd2cc5a96 100644 --- a/rules/windows/deprecated/powershell_suspicious_download.yml +++ b/rules/windows/deprecated/powershell_suspicious_download.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/09/21 diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml index 90cf7c75d..f0f7d851c 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml index 080a241c5..bf4fd5226 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 logsource: diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml index 7f3e6b0a4..7c80fd93b 100644 --- a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -9,7 +9,6 @@ references: - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml index a0299149f..6b396ffe6 100644 --- a/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml @@ -11,10 +11,8 @@ references: tags: - attack.execution - attack.t1559.001 - - attack.t1175 # an old one - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 2817cc600..b9be2da02 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -13,13 +13,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 9593302ff..172b3e23f 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -13,7 +13,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index 1db8cc4d0..fbaec49c6 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -18,5 +18,4 @@ level: high tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml index 451971948..954dd6b04 100755 --- a/rules/windows/file_delete/sysmon_delete_prefetch.yml +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -5,6 +5,7 @@ description: Detects the deletion of a prefetch file (AntiForensic) level: high author: Cedric MAURUGEON date: 2021/09/29 +modified: 2022/01/15 tags: - attack.defense_evasion - attack.t1070.004 @@ -17,7 +18,9 @@ detection: TargetFilename|endswith: '.pf' exception: Image: 'C:\windows\system32\svchost.exe' - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings condition: selection and not exception falsepositives: - Unknown diff --git a/rules/windows/file_delete/win_fd_delete_appli_log.yml b/rules/windows/file_delete/win_fd_delete_appli_log.yml new file mode 100644 index 000000000..a2f9df494 --- /dev/null +++ b/rules/windows/file_delete/win_fd_delete_appli_log.yml @@ -0,0 +1,24 @@ +title: Delete Log from Application +id: b1decb61-ed83-4339-8e95-53ea51901720 +status: experimental +description: Deletion of log files is a known anti-forensic technique +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md +date: 2022/01/16 +logsource: + product: windows + category: file_delete +detection: + selection_teamviewer: + TargetFilename|endswith: '.log' + TargetFilename|contains: '\TeamViewer_' + filter: + Image: C:\Windows\system32\svchost.exe + condition: selection_teamviewer and not filter +falsepositives: + - unknown +level: low +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml index cf9ea41cb..687865be6 100644 --- a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml +++ b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml @@ -14,7 +14,6 @@ modified: 2021/09/19 tags: - attack.execution - attack.t1218.011 - - attack.t1085 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_hack_dumpert.yml b/rules/windows/file_event/file_event_hack_dumpert.yml index ed3625dbb..74a805179 100755 --- a/rules/windows/file_event/file_event_hack_dumpert.yml +++ b/rules/windows/file_event/file_event_hack_dumpert.yml @@ -13,7 +13,6 @@ date: 2020/02/04 modified: 2021/09/21 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file_event/file_event_hktl_createminidump.yml b/rules/windows/file_event/file_event_hktl_createminidump.yml index 1aae4f62e..a0bacd772 100644 --- a/rules/windows/file_event/file_event_hktl_createminidump.yml +++ b/rules/windows/file_event/file_event_hktl_createminidump.yml @@ -13,7 +13,6 @@ modified: 2021/09/19 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml index 8c401e191..f8e747bbe 100644 --- a/rules/windows/file_event/file_event_lsass_dump.yml +++ b/rules/windows/file_event/file_event_lsass_dump.yml @@ -13,7 +13,6 @@ date: 2021/11/15 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_mal_adwind.yml b/rules/windows/file_event/file_event_mal_adwind.yml index bab320074..1e79f6b12 100644 --- a/rules/windows/file_event/file_event_mal_adwind.yml +++ b/rules/windows/file_event/file_event_mal_adwind.yml @@ -15,7 +15,6 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one logsource: category: file_event product: windows diff --git a/rules/windows/malware/file_event_mal_octopus_scanner.yml b/rules/windows/file_event/file_event_mal_octopus_scanner.yml similarity index 100% rename from rules/windows/malware/file_event_mal_octopus_scanner.yml rename to rules/windows/file_event/file_event_mal_octopus_scanner.yml diff --git a/rules/windows/file_event/file_event_susp_ntds_dit.yml b/rules/windows/file_event/file_event_susp_ntds_dit.yml new file mode 100644 index 000000000..3e2d41cf3 --- /dev/null +++ b/rules/windows/file_event/file_event_susp_ntds_dit.yml @@ -0,0 +1,26 @@ +title: Suspicious Process Writes Ntds.dit +id: 11b1ed55-154d-4e82-8ad7-83739298f720 +status: experimental +description: Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file +references: + - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ + - https://adsecurity.org/?p=2398 +author: Florian Roth +date: 2022/01/11 +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.003 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '\ntds.dit' + Image|endswith: + - '\powershell.exe' + - '\cmd.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml index 1204a2901..c2cee9c49 100644 --- a/rules/windows/file_event/file_event_susp_task_write.yml +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -1,11 +1,12 @@ -title: Suspicious Scheduled Task Writ to System32 Tasks +title: Suspicious Scheduled Task Write to System32 Tasks id: 80e1f67a-4596-4351-98f5-a9c3efabac95 status: experimental -description: +description: Detects the creation of tasks from processes executed from suspicious locations references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ + - Internal Research author: Florian Roth date: 2021/11/16 +modified: 2022/01/12 tags: - attack.persistence - attack.execution diff --git a/rules/windows/file_event/file_event_tool_psexec.yml b/rules/windows/file_event/file_event_tool_psexec.yml index 91a51e0af..d4e3d237b 100644 --- a/rules/windows/file_event/file_event_tool_psexec.yml +++ b/rules/windows/file_event/file_event_tool_psexec.yml @@ -13,7 +13,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index bc5be1459..49c10bff4 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -7,7 +7,6 @@ date: 2020/05/26 modified: 2021/10/28 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml index bd7f61751..4c07b444c 100755 --- a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml @@ -44,7 +44,6 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml index 72e876b02..330c16858 100755 --- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml @@ -19,5 +19,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml index c3bf8ebe7..3648d592e 100755 --- a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -8,7 +8,6 @@ date: 2019/10/22 modified: 2021/08/16 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file_event/sysmon_office_persistence.yml b/rules/windows/file_event/sysmon_office_persistence.yml index 2f67a1a0c..658789a7a 100644 --- a/rules/windows/file_event/sysmon_office_persistence.yml +++ b/rules/windows/file_event/sysmon_office_persistence.yml @@ -28,5 +28,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1137 # an old one - attack.t1137.006 diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml index ebda72aba..4f21221df 100755 --- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml @@ -114,5 +114,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml index 431d86d6a..3e8ca7f58 100755 --- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml @@ -22,5 +22,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index 3484536d1..584b374df 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -29,6 +29,5 @@ falsepositives: - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: high tags: - - attack.t1071 # an old one - attack.t1001.003 - attack.command_and_control diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index 7c44eaa61..119379751 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -25,5 +25,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1023 # an old one - attack.t1547.009 diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index ba0a1127c..d32dd30da 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -25,6 +25,5 @@ falsepositives: - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. level: medium tags: - - attack.t1089 # an old one - attack.t1562.001 - attack.defense_evasion diff --git a/rules/windows/file_event/sysmon_webshell_creation_detect.yml b/rules/windows/file_event/sysmon_webshell_creation_detect.yml index 655ddfe50..59a98326c 100755 --- a/rules/windows/file_event/sysmon_webshell_creation_detect.yml +++ b/rules/windows/file_event/sysmon_webshell_creation_detect.yml @@ -42,5 +42,4 @@ falsepositives: level: critical tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml index 5d736bc2e..4265bccba 100755 --- a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -18,6 +18,5 @@ falsepositives: - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) level: high tags: - - attack.t1084 # an old one - attack.t1546.003 - attack.persistence diff --git a/rules/windows/file_event/win_fe_creation_new_shim_database.yml b/rules/windows/file_event/win_fe_creation_new_shim_database.yml index e98d18a5a..c00f31c4e 100644 --- a/rules/windows/file_event/win_fe_creation_new_shim_database.yml +++ b/rules/windows/file_event/win_fe_creation_new_shim_database.yml @@ -17,7 +17,7 @@ detection: TargetFilename|contains: '\Windows\apppatch\Custom\' condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml index bc300a247..5d16e8fb9 100644 --- a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml +++ b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml @@ -21,7 +21,7 @@ detection: - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection condition: selection and not 1 of filter* falsepositives: - - Unkown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml b/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml index 2907976d7..5b2dfdcb1 100644 --- a/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml +++ b/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml @@ -17,7 +17,7 @@ detection: TargetFilename: 'C:\program.exe' condition: selection falsepositives: - - Unkown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_macro_file.yml b/rules/windows/file_event/win_fe_macro_file.yml new file mode 100644 index 000000000..55e102b80 --- /dev/null +++ b/rules/windows/file_event/win_fe_macro_file.yml @@ -0,0 +1,36 @@ +title: Dump Office Macro Files from Commandline +id: b1c50487-1967-4315-a026-6491686d860e +status: experimental +description: A office file with macro is created from a commandline or a script +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +date: 2022/01/23 +logsource: + category: file_event + product: windows +detection: + selection_ext: + TargetFilename|endswith: + - .docm + - .dotm + - .xlsm + - .xltm + - .potm + - .pptm + - .pptx + selection_cmd: + - Image|endswith: + - \cmd.exe + - \powershell.exe + - ParentImage|endswith: + - \cmd.exe + - \powershell.exe + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1566.001 \ No newline at end of file diff --git a/rules/windows/file_event/win_fe_susp_colorcpl.yml b/rules/windows/file_event/win_fe_susp_colorcpl.yml new file mode 100644 index 000000000..deb3389c8 --- /dev/null +++ b/rules/windows/file_event/win_fe_susp_colorcpl.yml @@ -0,0 +1,27 @@ +title: Suspicious Creation with Colorcpl +id: e15b518d-b4ce-4410-a9cd-501f23ce4a18 +status: experimental +description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ +author: frack113 +references: + - https://twitter.com/eral4m/status/1480468728324231172?s=20 +date: 2022/01/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: \colorcpl.exe + valid_ext: + TargetFilename|endswith: + - .icm + - .gmmp + - .cdmp + - .camp + condition: selection and not valid_ext +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564 diff --git a/rules/windows/file_event/win_fe_writing_local_admin_share.yml b/rules/windows/file_event/win_fe_writing_local_admin_share.yml index f24754360..5df4b850e 100644 --- a/rules/windows/file_event/win_fe_writing_local_admin_share.yml +++ b/rules/windows/file_event/win_fe_writing_local_admin_share.yml @@ -18,7 +18,7 @@ detection: - '\ADMIN$\' condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.lateral_movement diff --git a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml index ddb733aac..c7586f7d6 100644 --- a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml @@ -13,7 +13,6 @@ status: test tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1073 # an old one - attack.t1574.002 detection: selection_dll: diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index edd59fc66..cdf9ee7d1 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -12,7 +12,6 @@ references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll tags: - - attack.t1086 # an old one - attack.t1059.001 - attack.execution logsource: diff --git a/rules/windows/image_load/sysmon_susp_fax_dll.yml b/rules/windows/image_load/sysmon_susp_fax_dll.yml index 39d0d7621..b49be7ca9 100644 --- a/rules/windows/image_load/sysmon_susp_fax_dll.yml +++ b/rules/windows/image_load/sysmon_susp_fax_dll.yml @@ -26,7 +26,5 @@ level: high tags: - attack.persistence - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1038 # an old one - attack.t1574.001 - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 726a87dd1..ff5ca7bfe 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index f8d5be4aa..6feea67a4 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index 36b37ccb3..2cb835dfa 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index c30288f94..fc8c755b5 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index 47a3b0424..649f5d309 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml index 54bf26095..f72268538 100755 --- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml index 802b5df9d..5b31fa62a 100755 --- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 90bfdd134..03fb50e95 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -65,5 +65,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 393876e94..0be23656b 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -28,7 +28,5 @@ level: high tags: - attack.persistence - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - - attack.t1038 # an old one - attack.t1574.001 diff --git a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml index d167e1004..831d31022 100755 --- a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml @@ -20,5 +20,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 9b2f87abb..971fdb340 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/11/25 +modified: 2022/01/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html @@ -48,6 +48,8 @@ detection: - '\explorer.exe' - '\opera_autoupdate.exe' - '\MsMpEng.exe' + - '\thor64.exe' + - '\thor.exe' filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to Image|startswith: - 'C:\Program Files\' diff --git a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index 2b7a1420d..f0a9711a8 100755 --- a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -19,6 +19,5 @@ falsepositives: - Unknown (data set is too small; further testing needed) level: high tags: - - attack.t1084 # an old one - attack.t1546.003 - attack.persistence diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml index 177fb35a1..6bb0a471b 100644 --- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml @@ -46,4 +46,3 @@ tags: - attack.t1218 - attack.execution - attack.t1559.001 - - attack.t1175 # an old one diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml index 804ddbebe..90737fa59 100755 --- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml @@ -96,4 +96,3 @@ level: medium tags: - attack.command_and_control - attack.t1571 - - attack.t1043 # an old one diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml index b728c7afb..f0deb73c0 100755 --- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml @@ -11,7 +11,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index b42525448..a75bcb51b 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -12,7 +12,6 @@ tags: - attack.t1572 - attack.lateral_movement - attack.t1021.001 - - attack.t1076 # an old one - car.2013-07-002 logsource: category: network_connection diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index ade7b3075..6aaf10275 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -5,13 +5,6 @@ references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md -tags: - - attack.execution - - attack.t1559.001 - - attack.t1175 # an old one - - attack.defense_evasion - - attack.t1218.010 - - attack.t1117 # an old one author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 @@ -31,4 +24,9 @@ fields: - DestinationPort falsepositives: - unknown -level: high \ No newline at end of file +level: high +tags: + - attack.execution + - attack.t1559.001 + - attack.defense_evasion + - attack.t1218.010 \ No newline at end of file diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml index a3a16207b..e6eb9c587 100755 --- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml @@ -24,7 +24,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml index 2b32f35c2..97a5b9efd 100755 --- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml @@ -47,5 +47,4 @@ level: medium tags: - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one - attack.execution diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index 91da2c975..faf94a368 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -45,5 +45,4 @@ level: high tags: - attack.lateral_movement - attack.t1021.001 - - attack.t1076 # an old one - car.2013-07-002 diff --git a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml index 0566f2b82..fd7cba0ab 100755 --- a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml @@ -28,7 +28,5 @@ level: high tags: - attack.credential_access - attack.t1558 - - attack.t1208 # an old one - attack.lateral_movement - attack.t1550.003 - - attack.t1097 # an old one diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml index 915ef7f25..d275abb15 100755 --- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml @@ -29,4 +29,3 @@ tags: - attack.t1105 - attack.exfiltration - attack.t1567.001 - - attack.t1048 # an old one diff --git a/rules/windows/network_connection/win_nc_imewdbld.yml b/rules/windows/network_connection/win_nc_imewdbld.yml new file mode 100644 index 000000000..bbd5d676c --- /dev/null +++ b/rules/windows/network_connection/win_nc_imewdbld.yml @@ -0,0 +1,23 @@ +title: Download a File with IMEWDBLD.exe +id: 8d7e392e-9b28-49e1-831d-5949c6281228 +status: experimental +description: Use IMEWDBLD.exe (built-in to windows) to download a file +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download + - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ +date: 2022/01/22 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + Image|endswith: '\IMEWDBLD.exe' + condition: selection +falsepositives: + - Legitimate script +level: high +tags: + - attack.command_and_control + - attack.t1105 \ No newline at end of file diff --git a/rules/windows/network_connection/win_nc_msiexec.yml b/rules/windows/network_connection/win_nc_msiexec.yml new file mode 100644 index 000000000..4233f744c --- /dev/null +++ b/rules/windows/network_connection/win_nc_msiexec.yml @@ -0,0 +1,25 @@ +title: Msiexec Initiated Connection +id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f +status: experimental +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +author: frack113 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +date: 2022/01/16 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + Image|endswith: '\msiexec.exe' + condition: selection +falsepositives: + - Legitimate msiexec over networks +level: medium +tags: + - attack.defense_evasion + - attack.t1218.007 \ No newline at end of file diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index 900ec9f5a..421032085 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -13,7 +13,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index d36011ef3..bb2ad3d52 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -2,11 +2,11 @@ title: Alternate PowerShell Hosts Pipe id: 58cb02d5-78ce-4692-b3e1-dce850aae41a status: test description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe -author: Roberto Rodriguez @Cyb3rWard0g +author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2021/12/17 +modified: 2022/01/19 logsource: product: windows category: pipe_created @@ -19,8 +19,15 @@ detection: - '\powershell_ise.exe' - '\WINDOWS\System32\sdiagnhost.exe' - '\WINDOWS\System32\wsmprovhost.exe' + - '\Windows\system32\dsac.exe' + - '\Windows\system32\wbem\wmiprvse.exe' filter2: Image: null + filter3: # Microsoft SQL Server\130\Tools\ + Image|contains|all: + - ':\Program Files' + - '\Microsoft SQL Server\' + Image|endswith: '\Tools\Binn\SQLPS.exe' condition: selection and not 1 of filter* fields: - ComputerName @@ -32,5 +39,4 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 5fa249bee..ee3fb7c22 100644 --- a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -23,7 +23,6 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml similarity index 95% rename from rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 1ba70f716..dd72dd04b 100644 --- a/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -13,7 +13,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml rename to rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml similarity index 96% rename from rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml rename to rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 6ab90c2c2..b7d9d3547 100644 --- a/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -8,7 +8,6 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml similarity index 96% rename from rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml rename to rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index 4c4ddb2dd..215c3d778 100644 --- a/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -8,7 +8,6 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml rename to rules/windows/powershell/powershell_classic/posh_pc_powercat.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml similarity index 91% rename from rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml rename to rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index 8605312d6..88fde7aae 100644 --- a/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -13,10 +13,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml similarity index 95% rename from rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml rename to rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 95a2be973..bd1a09cbb 100644 --- a/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -9,7 +9,6 @@ date: 2020/06/29 modified: 2021/10/16 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_pc_susp_get_nettcpconnection.yml rename to rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml rename to rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml similarity index 94% rename from rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml rename to rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml index 551b1b68b..183154501 100644 --- a/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml rename to rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml rename to rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml similarity index 95% rename from rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml rename to rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index 8996bef6c..f5e493c93 100644 --- a/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -8,7 +8,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml similarity index 95% rename from rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index cebabac1d..5622ab6cb 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -10,7 +10,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml similarity index 97% rename from rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml rename to rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index b7a636ef6..fb48751d4 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -15,7 +15,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml similarity index 97% rename from rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml rename to rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index a13453f9a..8faa41211 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -13,7 +13,6 @@ references: tags: - attack.defense_evasion - attack.t1070.003 - - attack.t1146 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_decompress_commands.yml rename to rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_get_clipboard.yml rename to rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml similarity index 97% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 27ec125ce..2ffff9458 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -15,7 +15,6 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_powercat.yml rename to rules/windows/powershell/powershell_module/posh_pm_powercat.yml diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml similarity index 92% rename from rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml rename to rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index ba800a5b4..424bff297 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -10,10 +10,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_module/powershell_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_susp_get_nettcpconnection.yml rename to rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml rename to rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_module/powershell_pm_suspicious_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_suspicious_ad_group_reco.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml similarity index 94% rename from rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml index 097708941..598a3549e 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml similarity index 96% rename from rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml index 3281bd461..1ebead1f9 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml similarity index 98% rename from rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml index 1859ba45a..3c9fe2e92 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_module/powershell_pm_suspicious_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_suspicious_local_group_reco.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml diff --git a/rules/windows/powershell/powershell_module/powershell_pm_suspicious_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_suspicious_smb_share_reco.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml diff --git a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml rename to rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml diff --git a/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml rename to rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml diff --git a/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml rename to rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml diff --git a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_automated_collection.yml rename to rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml similarity index 79% rename from rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml rename to rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml index ba1adbeb0..6adae36db 100644 --- a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml @@ -1,16 +1,17 @@ title: AzureHound PowerShell Commands id: 83083ac6-1816-4e76-97d7-59af9a9ae46e status: experimental -description: +description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound references: - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Austin Songer (@austinsonger) date: 2021/10/23 +modified: 2022/01/12 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: ScriptBlockText|contains: Invoke-AzureHound diff --git a/rules/windows/powershell/powershell_script/powershell_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_capture_screenshots.yml rename to rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml new file mode 100644 index 000000000..d1902e7f8 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -0,0 +1,35 @@ +title: Clear PowerShell History +id: 26b692dc-1722-49b2-b496-a8258aa6371d +related: + - id: dfba4ce1-e0ea-495f-986e-97140f31af2d + type: derived +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +date: 2022/01/25 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_1: + ScriptBlockText|contains: + - 'del' + - 'Remove-Item' + - 'rm' + ScriptBlockText|contains|all: + - '(Get-PSReadlineOption).HistorySavePath' + selection_2: + ScriptBlockText|contains|all: + - 'Set-PSReadlineOption' + - '–HistorySaveStyle' + - 'SaveNothing' + condition: 1 of selection_* +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_script/powershell_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_clearing_windows_console_history.yml rename to rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_cmdlet_scheduled_task.yml rename to rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml rename to rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_cor_profiler.yml rename to rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml diff --git a/rules/windows/powershell/powershell_script/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml similarity index 87% rename from rules/windows/powershell/powershell_script/powershell_create_local_user.yml rename to rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index a5b0d2a85..ab12a9c07 100644 --- a/rules/windows/powershell/powershell_script/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -7,10 +7,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.persistence - - attack.t1136.001 - - attack.t1136 # an old one + - attack.t1136.001 author: '@ROxPinTeddy' date: 2020/04/11 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml new file mode 100644 index 000000000..6c098c110 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -0,0 +1,26 @@ +title: Create Volume Shadow Copy with Powershell +id: afd12fed-b0ec-45c9-a13d-aa86625dac81 +status: experimental +description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - win32_shadowcopy + - ').Create(' + - ClientAccessible + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: high +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_script/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml similarity index 96% rename from rules/windows/powershell/powershell_script/powershell_data_compressed.yml rename to rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml index c556a6603..8c35c9c81 100644 --- a/rules/windows/powershell/powershell_script/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml @@ -24,4 +24,3 @@ level: low tags: - attack.exfiltration - attack.t1560 - - attack.t1002 # an old one diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml rename to rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_directoryservices_accountmanagement.yml rename to rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml diff --git a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml similarity index 95% rename from rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml rename to rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml index 411443846..ea3a7d0a7 100644 --- a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml @@ -10,7 +10,6 @@ tags: - attack.t1048 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml rename to rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml rename to rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml rename to rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_file_and_directory_discovery.yml rename to rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_get_acl_service.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_get_childitem_bookmarks.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml diff --git a/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml rename to rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml similarity index 97% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 07fbbbd83..48bb1d48d 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -12,7 +12,6 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml diff --git a/rules/windows/powershell/powershell_script/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_keylogging.yml rename to rules/windows/powershell/powershell_script/posh_ps_keylogging.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_localuser.yml rename to rules/windows/powershell/powershell_script/posh_ps_localuser.yml diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml similarity index 99% rename from rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 55aff9fcd..937652d74 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 modified: 2021/11/29 diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml similarity index 97% rename from rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml rename to rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index f6e400310..d86e73d9a 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml rename to rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml new file mode 100644 index 000000000..c2235ff87 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -0,0 +1,28 @@ +title: Powershell MsXml COM Object +id: 78aa1347-1517-4454-9982-b338d6df8343 +status: experimental +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code +author: frack113 +date: 2022/01/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt + - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - New-Object + - '-ComObject' + - MsXml2.ServerXmlHttp + condition: selection +falsepositives: + - legitimate administrative script +level: medium +tags: + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml similarity index 98% rename from rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 91dda5050..f107fce3f 100644 --- a/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -9,7 +9,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Alec Costello logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml similarity index 93% rename from rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml rename to rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index fa8335566..b6784c866 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -8,10 +8,8 @@ references: tags: - attack.defense_evasion - attack.t1564.004 - - attack.t1096 # an old one - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_office_comobject_registerxll.yml rename to rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml diff --git a/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml similarity index 95% rename from rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml rename to rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index a795e8d11..7c532498b 100644 --- a/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -9,7 +9,6 @@ tags: - attack.credential_access - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/powershell_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml similarity index 94% rename from rules/windows/powershell/powershell_script/powershell_psattack.yml rename to rules/windows/powershell/powershell_script/posh_ps_psattack.yml index 121446277..edd719577 100644 --- a/rules/windows/powershell/powershell_script/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml rename to rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml new file mode 100644 index 000000000..cda5dcbf2 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -0,0 +1,25 @@ +title: Use Remove-Item to Delete File +id: b8af5f36-1361-4ebe-9e76-e36128d947bf +status: experimental +description: Powershell Remove-Item with -Path to delete a file or a folder with "-Recurse" +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 +date: 2022/01/15 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Remove-Item + - '-Path ' + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_request_kerberos_ticket.yml rename to rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml diff --git a/rules/windows/powershell/powershell_script/win_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml similarity index 100% rename from rules/windows/powershell/powershell_script/win_root_certificate_installed.yml rename to rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml rename to rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml rename to rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml diff --git a/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml rename to rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml diff --git a/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml similarity index 96% rename from rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml rename to rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index 9cad56ae0..d916707fe 100644 --- a/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -10,7 +10,6 @@ tags: - attack.t1055 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_script/powershell_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_software_discovery.yml rename to rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml diff --git a/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml rename to rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml new file mode 100644 index 000000000..2477e7898 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -0,0 +1,27 @@ +title: Change User Agents with WebRequest +id: d4488827-73af-4f8d-9244-7b7662ef046e +status: experimental +author: frack113 +date: 2022/01/23 +description: | + Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. + Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#t1071001---web-protocols +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Invoke-WebRequest + - '-UserAgent ' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1071.001 + diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml new file mode 100644 index 000000000..e02900789 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -0,0 +1,25 @@ +title: Suspicious SSL Connection +id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078 +status: experimental +description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 + - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 +author: frack113 +date: 2022/01/23 +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - System.Net.Security.SslStream + - Net.Security.RemoteCertificateValidationCallback + - '.AuthenticateAsClient' + condition: selection +falsepositives: + - legitimate administrative script +level: low +tags: + - attack.command_and_control + - attack.t1573 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml diff --git a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_ad_group_reco.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml similarity index 94% rename from rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml index b33c4bea7..b533bf04b 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_execute_batch_script.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_export_pfxcertificate.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_export_pfxcertificate.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_extracting.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_extracting.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml new file mode 100644 index 000000000..de0c276a4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml @@ -0,0 +1,25 @@ +title: Suspicious Get-WmiObject +id: 0332a266-b584-47b4-933d-a00b103e1b37 +status: experimental +description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - Get-WmiObject + - gwmi + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.persistence + - attack.t1546 diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml similarity index 96% rename from rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml index 2c106649e..7ee906b99 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml similarity index 98% rename from rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml index 929a6581f..287004ebb 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml similarity index 97% rename from rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml index 7d4d83170..655f9c3f9 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml @@ -13,7 +13,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_local_group_reco.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_mail_acces.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_mail_acces.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_mounted_share_deletion.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_new_psdrive.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_recon.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_recon.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_smb_share_reco.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml new file mode 100644 index 000000000..196e8c2b3 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml @@ -0,0 +1,26 @@ +title: Suspicious Start-Process PassThru +id: 0718cd72-f316-4aa2-988f-838ea8533277 +status: experimental +description: Powershell use PassThru option to start in background +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +date: 2022/01/15 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Start-Process + - '-PassThru ' + - '-FilePath ' + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1036.003 diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml diff --git a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml new file mode 100644 index 000000000..170af32d9 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -0,0 +1,33 @@ +title: Suspicious Start-Process PassThru +id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 +related: + - id: ec19ebab-72dc-40e1-9728-4c0b805d722c + type: derived +status: experimental +description: Attempting to disable scheduled scanning and other parts of windows defender atp. +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps +date: 2022/01/16 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Set-MpPreference' + - ' 1' + ScriptBlockText|contains: + - DisableRealtimeMonitoring + - DisableBehaviorMonitoring + - DisableScriptScanning + - DisableBlockAtFirstSeen + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml new file mode 100644 index 000000000..a3ff348dd --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -0,0 +1,31 @@ +title: Testing Usage of Uncommonly Used Port +id: adf876b3-f1f8-4aa9-a4e4-a64106feec06 +status: experimental +description: | + Adversaries may communicate using a protocol and port paring that are typically not associated. + For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell + - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +author: frack113 +date: 2022/01/23 +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - Test-NetConnection + - '-ComputerName ' + - '-port ' + filter: + ScriptBlockText|contains: + - ' 443 ' + - ' 80 ' + condition: selection and not filter +falsepositives: + - legitimate administrative script +level: medium +tags: + - attack.command_and_control + - attack.t1571 diff --git a/rules/windows/powershell/powershell_script/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_timestomp.yml rename to rules/windows/powershell/powershell_script/posh_ps_timestomp.yml diff --git a/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml rename to rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_upload.yml rename to rules/windows/powershell/powershell_script/posh_ps_upload.yml diff --git a/rules/windows/powershell/powershell_script/powershell_web_request.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml similarity index 97% rename from rules/windows/powershell/powershell_script/powershell_web_request.yml rename to rules/windows/powershell/powershell_script/posh_ps_web_request.yml index 2a6ff8e32..c0a922711 100644 --- a/rules/windows/powershell/powershell_script/powershell_web_request.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml @@ -14,7 +14,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml rename to rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml diff --git a/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml similarity index 95% rename from rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml rename to rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index 9054932c4..b52c9b8a4 100644 --- a/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -24,5 +24,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1547.004 - - attack.t1004 # an old one + - attack.t1547.004 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml rename to rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml similarity index 97% rename from rules/windows/powershell/powershell_script/powershell_wmimplant.yml rename to rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml index dc92e77d1..bd897115e 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml @@ -8,7 +8,6 @@ tags: - attack.execution - attack.t1047 - attack.t1059.001 - - attack.t1086 #an old one author: NVISO date: 2020/03/26 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml new file mode 100644 index 000000000..23d0496ff --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -0,0 +1,30 @@ +title: Powershell XML Execute Command +id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b +status: experimental +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code +author: frack113 +date: 2022/01/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests +logsource: + product: windows + category: ps_script +detection: + selection_xml: + ScriptBlockText|contains|all: + - New-Object + - System.Xml.XmlDocument + - .Load + selection_exec: + - IEX + - Invoke-Expression + condition: all of selection_* +falsepositives: + - legitimate administrative script +level: medium +tags: + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml b/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml index 745d8b86d..c16f73005 100755 --- a/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml +++ b/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml @@ -5,10 +5,8 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.t1218.003 - - attack.t1191 # an old one - attack.execution - attack.t1559.001 - - attack.t1175 # an old one - attack.g0069 - attack.g0080 - car.2019-04-001 diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index 9b873293a..b3cf7a362 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -14,7 +14,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 - car.2019-04-004 logsource: diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index acd4cc71c..c8f9d157f 100644 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -12,7 +12,6 @@ tags: - attack.defense_evasion - attack.t1055.001 - attack.t1055.002 - - attack.t1055 # an old one logsource: category: process_access product: windows diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml index 474814818..faf00f958 100755 --- a/rules/windows/process_access/sysmon_invoke_phantom.yml +++ b/rules/windows/process_access/sysmon_invoke_phantom.yml @@ -11,7 +11,6 @@ references: tags: - attack.defense_evasion - attack.t1562.002 - - attack.t1089 # an old one logsource: category: process_access product: windows diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 4eb8b34b2..289f16f67 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -1,16 +1,18 @@ title: LSASS Memory Dump id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da status: experimental -description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 -author: Samir Bousseaden +description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. +author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2021/06/21 +modified: 2022/01/27 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html + - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md + - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access @@ -18,11 +20,22 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - GrantedAccess: '0x1fffff' + GrantedAccess|contains: + - '0x1fffff' + - '0x01000' + #- '0x1010' # Too many false positives + - '0x1038' + - '0x40' + #- '0x1400' # Too many false positives + - '0x1410' + - '0x1438' + - '0x143a' + - '0x1000' CallTrace|contains: - 'dbghelp.dll' - 'dbgcore.dll' + - 'ntdll.dll' condition: selection falsepositives: - - unknown -level: high + - False positives are present when looking for 0x1410. Exclusions may be required. +level: high \ No newline at end of file diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index cf5b00e42..98abacd62 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -19,12 +19,9 @@ tags: - attack.credential_access - attack.execution - attack.t1003.001 - - attack.t1003 # an old one - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one - attack.s0002 falsepositives: - low diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index e7724a1fa..18af3ff6d 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags author: Florian Roth date: 2021/11/22 -modified: 2022/01/08 +modified: 2022/01/13 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -17,7 +17,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access @@ -62,6 +61,8 @@ detection: - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\System32\lsass.exe' + - 'C:\WINDOWS\System32\perfmon.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' diff --git a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml index 95341c500..02541dfcd 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml @@ -14,7 +14,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml index 3d9c64bd7..120eaa9c6 100755 --- a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml @@ -9,7 +9,6 @@ tags: - attack.execution - attack.t1059 - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml index 41af8a48f..a8a32766e 100644 --- a/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml @@ -9,7 +9,6 @@ tags: - attack.execution - attack.t1059 - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/process_creation_apt_wocao.yml b/rules/windows/process_creation/process_creation_apt_wocao.yml index 46bd50982..8897c3feb 100644 --- a/rules/windows/process_creation/process_creation_apt_wocao.yml +++ b/rules/windows/process_creation/process_creation_apt_wocao.yml @@ -14,13 +14,10 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1036.004 - - attack.t1036 # an old one - attack.t1027 - attack.execution - attack.t1053.005 - - attack.t1053 # an old one - attack.t1059.001 - - attack.t1086 # an old one date: 2019/12/20 modified: 2021/09/19 logsource: diff --git a/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml index 006a75601..e41e4d43e 100644 --- a/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml @@ -13,7 +13,6 @@ modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/process_creation_hack_dumpert.yml b/rules/windows/process_creation/process_creation_hack_dumpert.yml index 4f336d5f3..98602bc2c 100644 --- a/rules/windows/process_creation/process_creation_hack_dumpert.yml +++ b/rules/windows/process_creation/process_creation_hack_dumpert.yml @@ -10,7 +10,6 @@ date: 2020/02/04 modified: 2021/12/08 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/malware/process_creation_mal_blue_mockingbird.yml b/rules/windows/process_creation/process_creation_mal_blue_mockingbird.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_blue_mockingbird.yml rename to rules/windows/process_creation/process_creation_mal_blue_mockingbird.yml diff --git a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/windows/process_creation/process_creation_mal_darkside_ransomware.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_darkside_ransomware.yml rename to rules/windows/process_creation/process_creation_mal_darkside_ransomware.yml diff --git a/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/windows/process_creation/process_creation_mal_lockergoga_ransomware.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml rename to rules/windows/process_creation/process_creation_mal_lockergoga_ransomware.yml diff --git a/rules/windows/malware/process_creation_mal_ryuk.yml b/rules/windows/process_creation/process_creation_mal_ryuk.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_ryuk.yml rename to rules/windows/process_creation/process_creation_mal_ryuk.yml diff --git a/rules/windows/process_creation/process_creation_msedge_minimized_download.yml b/rules/windows/process_creation/process_creation_msedge_minimized_download.yml new file mode 100644 index 000000000..0a1e53dea --- /dev/null +++ b/rules/windows/process_creation/process_creation_msedge_minimized_download.yml @@ -0,0 +1,23 @@ +title: Suspicious Minimized MSEdge Start +id: 94771a71-ba41-4b6e-a757-b531372eaab6 +description: Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet +author: Florian Roth +date: 2022/01/11 +references: + - https://twitter.com/mrd0x/status/1478234484881436672?s=12 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'start /min msedge' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine) +level: high diff --git a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml index 9adb6d3c1..13073ec7d 100644 --- a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml +++ b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml @@ -4,7 +4,7 @@ description: Detects shell spawn from Java host process, which could a maintenan status: experimental author: Andreas Hunkeler (@Karneades) date: 2021/12/17 -modified: 2021/12/18 +modified: 2022/01/12 tags: - attack.initial_access - attack.persistence @@ -17,7 +17,10 @@ detection: ParentImage|endswith: '\java.exe' Image|endswith: - '\cmd.exe' - condition: selection + filter: + ParentImage|contains: 'build' # excluding CI build agents + CommandLine|contains: 'build' # excluding CI build agents + condition: selection and not filter falsepositives: - Legitimate calls to system binaries - Company specific internal usage diff --git a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml index 6d8556cff..b64fa098d 100644 --- a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml +++ b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml @@ -11,7 +11,6 @@ references: tags: - attack.privilege_escalation - attack.persistence - - attack.t1015 # an old one - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 diff --git a/rules/windows/process_creation/process_creation_susp_image_missing.yml b/rules/windows/process_creation/process_creation_susp_image_missing.yml index 0feb50481..32d736f8b 100644 --- a/rules/windows/process_creation/process_creation_susp_image_missing.yml +++ b/rules/windows/process_creation/process_creation_susp_image_missing.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2021/12/27 +modified: 2022/01/25 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -15,8 +15,12 @@ logsource: detection: image_absolute_path: Image|contains: '\' - filter: + filter_null: Image: null + filter_empty: + Image: + - '-' + - '' filter_4688: - Image: 'Registry' - CommandLine: 'Registry' diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml index 5eb1994eb..024f9e164 100644 --- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml +++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2021/12/24 +modified: 2022/01/14 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -17,6 +17,12 @@ detection: Image|endswith: '.exe' filter_null: Image: null + filter_registry: + Image: 'Registry' + filter_empty: + Image: + - '-' + - '' filter_starts: Image|startswith: 'C:\Windows\Installer\MSI' filter_pstarts: @@ -29,6 +35,9 @@ detection: filter_nvidia: Image|contains: 'NVIDIA\NvBackend\' Image|endswith: '.dat' + filter_com: + Image|startswith: 'C:\Windows\System32\' + Image|endswith: '.com' condition: not image_exe and not 1 of filter* falsepositives: - unknown diff --git a/rules/windows/process_creation/process_creation_susp_redir_local_admin_share.yml b/rules/windows/process_creation/process_creation_susp_redir_local_admin_share.yml new file mode 100644 index 000000000..58c225a5f --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_redir_local_admin_share.yml @@ -0,0 +1,20 @@ +title: Suspicious Redirection to Local Admin Share +id: ab9e3b40-0c85-4ba1-aede-455d226fd124 +status: experimental +description: Detects a suspicious output redirection to the local admins share as often found in malicious scripts or hacktool stagers +author: Florian Roth +date: 2022/01/16 +references: + - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '> \\127.0.0.1\admin$' + - '> \\localhost\admin$' + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/process_creation_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/process_creation_susp_rundll32_js_runhtmlapplication.yml new file mode 100644 index 000000000..05d55fb8d --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_rundll32_js_runhtmlapplication.yml @@ -0,0 +1,27 @@ +title: Rundll32 JS RunHTMLApplication Pattern +id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 +status: experimental +description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code +author: Florian Roth +date: 2022/01/14 +references: + - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'rundll32' + - 'javascript' + - '..\..\mshtml,RunHTMLApplication' + selection2: + CommandLine|contains: + - ';document.write();GetObject("script' + condition: 1 of selection* +falsepositives: + - unknown +level: high + diff --git a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml index 5fae2a858..ef3327d7d 100644 --- a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml +++ b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml @@ -11,7 +11,6 @@ modified: 2021/09/21 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml index 59ddee7cf..8cd94e687 100644 --- a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml +++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml @@ -3,7 +3,7 @@ id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1 status: experimental author: frack113 date: 2021/07/16 -modified: 2021/09/12 +modified: 2022/01/24 description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md @@ -19,7 +19,7 @@ detection: select_vbs: CommandLine|contains|all: - '\SyncAppvPublishingServer.vbs' - - '"n;' + - '"\n;' condition: select_vbs fields: - ComputerName diff --git a/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml index a0f16d53e..8ccb98db3 100644 --- a/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml @@ -14,7 +14,6 @@ modified: 2021/09/12 tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1088 # an old one - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/process_creation/process_creation_tool_psexec.yml b/rules/windows/process_creation/process_creation_tool_psexec.yml index a352369a8..a6e7c236e 100644 --- a/rules/windows/process_creation/process_creation_tool_psexec.yml +++ b/rules/windows/process_creation/process_creation_tool_psexec.yml @@ -13,10 +13,8 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 - fields: - EventID - CommandLine diff --git a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml index 2a3b27316..e4f571891 100644 --- a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml b/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml index 7a27dc2f2..18838b6a6 100644 --- a/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml +++ b/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml @@ -5,7 +5,6 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.execution - - attack.t1191 # an old one - attack.t1218.003 - attack.g0069 - car.2019-04-001 diff --git a/rules/windows/process_creation/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml index 6acf0e58f..6e14818fb 100644 --- a/rules/windows/process_creation/sysmon_hack_wce.yml +++ b/rules/windows/process_creation/sysmon_hack_wce.yml @@ -9,7 +9,6 @@ date: 2019/12/31 modified: 2021/07/15 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.s0005 logsource: diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index b78fef5f9..f56c4d87b 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -27,6 +27,5 @@ falsepositives: - penetration tests, red teaming level: high tags: - - attack.t1037 # an old one - attack.t1037.001 - attack.persistence diff --git a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml index 7da6f41fd..637858fba 100644 --- a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml @@ -10,15 +10,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 86145e21a..b1c55d0e3 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -25,6 +25,4 @@ level: critical tags: - attack.execution - attack.g0016 - - attack.t1086 # an old one - - attack.t1059 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml index 964fdd165..fcc4833e3 100644 --- a/rules/windows/process_creation/win_apt_babyshark.yml +++ b/rules/windows/process_creation/win_apt_babyshark.yml @@ -22,13 +22,9 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059 # an old one - - attack.t1086 # an old one - attack.t1059.003 - attack.t1059.001 - attack.discovery - attack.t1012 - attack.defense_evasion - - attack.t1170 # an old one - - attack.t1218 # an old one - attack.t1218.005 diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index c78bea144..8c97666b9 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -32,7 +32,5 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1081 # an old one - - attack.t1003 # an old one - attack.t1552.001 - attack.t1003.003 diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index 79e714806..d2e7160a0 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -24,5 +24,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1117 # an old one - attack.t1218.010 diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 417f1e5e9..0134a29c8 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -26,5 +26,4 @@ level: critical tags: - attack.execution - attack.g0045 - - attack.t1064 # an old one - attack.t1059.005 diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index 4ee34b3c6..3b6b90888 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -25,5 +25,4 @@ tags: - attack.g0050 - attack.s0081 - attack.execution - - attack.t1059 # an old one - attack.t1059.003 diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml index de8445e1d..9cda75656 100644 --- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 5590dd0df..fd3b97578 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -24,4 +24,3 @@ level: critical tags: - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 239bec27a..371c521ec 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -25,5 +25,4 @@ level: critical tags: - attack.g0020 - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml index 2d859fc06..bf606f567 100644 --- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index 6a1b7e668..bf6de5e1d 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -11,11 +11,9 @@ tags: - attack.g0049 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one - attack.command_and_control - attack.t1105 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index 4ac634838..c7606ca3c 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -31,8 +31,6 @@ tags: - attack.lateral_movement - attack.g0010 - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.exfiltration - - attack.t1002 # an old one - attack.t1560.001 diff --git a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml index ab2c43ff3..5de08498b 100644 --- a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml @@ -29,5 +29,4 @@ level: critical tags: - attack.g0004 - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 53f793c7f..e9f887454 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index e0975073f..cd57ea865 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -12,10 +12,8 @@ references: tags: - attack.g0007 - attack.execution - - attack.t1059 # an old one - attack.t1059.003 - attack.defense_evasion - - attack.t1085 # an old one - car.2013-10-002 - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml index f337f4580..5de827af1 100755 --- a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml @@ -20,6 +20,5 @@ level: high tags: - attack.defense_evasion - attack.g0035 - - attack.t1036 # an old one - attack.t1036.003 - car.2013-05-009 diff --git a/rules/windows/process_creation/win_apt_taidoor.yml b/rules/windows/process_creation/win_apt_taidoor.yml index 3115b3104..7edbbc58c 100644 --- a/rules/windows/process_creation/win_apt_taidoor.yml +++ b/rules/windows/process_creation/win_apt_taidoor.yml @@ -27,5 +27,4 @@ falsepositives: level: critical tags: - attack.execution - - attack.t1055 # an old one - attack.t1055.001 diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 70dcfd75e..3f99ef284 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -9,7 +9,6 @@ references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ tags: - attack.execution - - attack.t1059 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index 308d6f6b3..62e7b5c46 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -27,8 +27,6 @@ level: critical tags: - attack.g0010 - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - - attack.t1053 # an old one - attack.t1053.005 - attack.t1027 diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 9b9924582..269487c32 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -11,7 +11,6 @@ modified: 2021/09/19 tags: - attack.execution - attack.t1218.011 - - attack.t1085 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index 595829255..95b7e5160 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -34,5 +34,4 @@ level: critical tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 3a4d55978..2df79a775 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -28,5 +28,4 @@ level: critical tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index b28bdae32..d47b54577 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -27,9 +27,7 @@ level: critical tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one - attack.s0412 - attack.g0001 diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index f25853f7e..a06d44563 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -30,4 +30,3 @@ level: low tags: - attack.defense_evasion - attack.t1564.001 - - attack.t1158 # an old one diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index f3f2deefb..ed0ee3f1d 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,6 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 9d7154328..6cb0289af 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -38,4 +38,3 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index 39ead0991..aebb33e3d 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -31,4 +31,3 @@ level: low tags: - attack.persistence - attack.t1546.001 - - attack.t1042 # an old one diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index 4d8a91334..6bc458264 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -11,7 +11,6 @@ modified: 2021/07/07 tags: - attack.credential_access - attack.t1003.005 - - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 7a12cc4a4..8fc6974f8 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -7,9 +7,7 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one - attack.t1218.003 - - attack.t1191 # an old one - attack.g0069 - car.2019-04-001 author: Nik Seetharaman, Christian Burkard diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 65790fd31..60b22b197 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -24,4 +24,3 @@ level: high tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 4c7d6f778..f99241c94 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -32,6 +32,5 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218.002 - - attack.t1196 # an old one - attack.persistence - attack.t1546 diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml index 8a73e1118..2d41fb2ef 100644 --- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -38,6 +38,5 @@ tags: - attack.credential_access - attack.t1003.002 - attack.t1003.003 - - attack.t1003 # an old one - car.2013-07-001 - attack.s0404 diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml index c67033c10..8d361c2c1 100644 --- a/rules/windows/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -10,7 +10,6 @@ references: - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter tags: - attack.credential_access - - attack.t1174 # an old one - attack.t1556.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index 1b4bfd5c4..956047838 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -27,4 +27,3 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml index 8f8be3398..335b05c1c 100644 --- a/rules/windows/process_creation/win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -12,7 +12,6 @@ modified: 2021/06/27 tags: - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.t1047 - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index 5f773d70e..f5d8fea51 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -28,7 +28,5 @@ falsepositives: - Highly likely if rar is a default archiver in the monitored environment. level: low tags: - - attack.exfiltration # an old one - - attack.t1002 # an old one - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 6d32387c5..e64b59455 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -19,9 +19,6 @@ level: high tags: - attack.exfiltration - attack.t1048.001 - - attack.t1048 # an old one - attack.command_and_control - attack.t1071.004 - - attack.t1071 # an old one - attack.t1132.001 - - attack.t1132 # an old one diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index cf8eab19a..2fe209a11 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -23,4 +23,3 @@ tags: - attack.t1140 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index ce729589d..29310e995 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -25,4 +25,3 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index e8bdeabe3..6168319ef 100644 --- a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -22,7 +22,6 @@ level: medium tags: - attack.exfiltration - attack.command_and_control - - attack.t1043 # an old one - attack.t1041 - attack.t1572 - attack.t1071.001 diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index 058135789..46c3fd96f 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -22,4 +22,3 @@ level: critical tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 6f646ada8..366161d87 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -22,7 +22,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 97816d3eb..e18716b04 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -24,7 +24,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 9462de4c8..cdcb80633 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -23,7 +23,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index f3bf0b305..25bd0ce55 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -34,6 +34,5 @@ tags: - attack.t1068 - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.t1574 - cve.2019.1378 diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index db2fbb2fd..f3e13062d 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -27,8 +27,6 @@ tags: - attack.t1190 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.t1059.003 - - attack.t1059 # an old one - attack.s0190 - cve.2020.10189 diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml index 1cf672143..99e1ac1cb 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml @@ -30,4 +30,3 @@ tags: - attack.persistence - attack.execution - attack.t1059.001 - - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 15e2bb975..6d031b2cd 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -29,5 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1222.001 - - attack.t1222 # an old one + - attack.t1222.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index ea2d0dcd9..f57aab90e 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -48,5 +48,4 @@ tags: - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - - attack.t1003 # an old one - car.2013-07-001 diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 3288e0325..5348ee4dc 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -38,11 +38,8 @@ tags: - attack.discovery - attack.t1087.001 - attack.t1087.002 - - attack.t1087 # an old one - attack.t1482 - attack.t1069.001 - attack.t1069.002 - - attack.t1069 # an old one - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 00c8a6457..de808b09f 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -29,7 +29,5 @@ level: high tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.t1059.005 - - attack.t1059.007 - - attack.t1064 # an old one + - attack.t1059.007 \ No newline at end of file diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 0d2a8a8ea..2f2be0485 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -33,7 +33,5 @@ tags: - attack.credential_access - attack.t1003 - attack.t1558.003 - - attack.t1558 # an old one - attack.lateral_movement - attack.t1550.003 - - attack.t1097 # an old one diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index 3555ed2db..269387b78 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -11,8 +11,6 @@ modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 - - attack.t1003 # an old one - - attack.t1503 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 21ee36e10..31d4db1ec 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -25,6 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1218.001 - - attack.execution # an old one - - attack.t1223 # an old one + - attack.t1218.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 04c9f49ab..c02a938e3 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -8,7 +8,6 @@ date: 2020/21/04 modified: 2021/06/11 author: Sreeman tags: - - attack.t1064 - attack.t1211 - attack.t1059 - attack.defense_evasion diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index a54f7b140..6f8fea711 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -10,7 +10,6 @@ modified: 2021/09/19 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_html_help_spawn.yml b/rules/windows/process_creation/win_html_help_spawn.yml index 971bfb366..6eb7b0667 100644 --- a/rules/windows/process_creation/win_html_help_spawn.yml +++ b/rules/windows/process_creation/win_html_help_spawn.yml @@ -34,7 +34,6 @@ tags: - attack.t1218.010 - attack.t1218.011 - attack.execution - - attack.t1223 # an old one - attack.t1059.001 - attack.t1059.003 - attack.t1059.005 diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index 9a7d4c55f..5c34f31f4 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -25,9 +25,7 @@ level: high tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one - attack.execution - attack.t1203 - attack.t1059.003 - - attack.t1059 # an old one - attack.g0032 diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index 0d9c18037..455a6010d 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -64,6 +64,4 @@ tags: - attack.execution - attack.t1047 - attack.lateral_movement - - attack.t1175 # an old one - attack.t1021.003 - - attack.t1021 # an old one diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index 2e1c00d3b..c58de2186 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -30,4 +30,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.008 - - attack.t1015 # an old one diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index b3f8beed9..dc70e52e8 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -26,4 +26,3 @@ level: high tags: - attack.privilege_escalation - attack.t1053.002 - - attack.t1053 # an old one diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index 8eaa326ba..13908f26f 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -28,4 +28,3 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index c342fe36a..dcfde00a4 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -21,5 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1218.005 - - attack.execution # an old one - - attack.t1170 # an old one diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index c413f4987..27c50a03e 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -62,4 +62,3 @@ tags: - attack.discovery - attack.t1033 - attack.t1087.001 - - attack.t1087 # an old one diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index 447057246..c06734aac 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -10,7 +10,6 @@ modified: 2021/06/11 tags: - attack.defense_evasion - attack.execution - - attack.t1085 # an old one - attack.t1218.011 logsource: product: windows diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml index 6821201cf..7911e9cc3 100644 --- a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml @@ -5,7 +5,7 @@ status: experimental references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install author: Sreeman, Florian Roth, Frack113 -date: 2020/21/04 +date: 2020/04/21 modified: 2022/01/11 tags: - attack.defense_evasion @@ -27,4 +27,4 @@ falsepositives: - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users. fields: - CommandLine -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 9860bfa66..92b8e8fc5 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -34,4 +34,3 @@ level: high tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 35a24f5a2..b777f363a 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -12,7 +12,6 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml index e0f748816..a005aad69 100644 --- a/rules/windows/process_creation/win_malware_emotet.yml +++ b/rules/windows/process_creation/win_malware_emotet.yml @@ -8,7 +8,6 @@ modified: 2021/11/29 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.defense_evasion - attack.t1027 references: diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 1401ee4b8..1f6d68412 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -33,11 +33,7 @@ level: critical tags: - attack.defense_evasion - attack.t1218.011 - - attack.execution # an old one - - attack.t1085 # an old one - attack.t1070.001 - - attack.t1070 # an old one - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - car.2016-04-002 diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml index 5e6554068..812ee0c66 100644 --- a/rules/windows/process_creation/win_malware_qbot.yml +++ b/rules/windows/process_creation/win_malware_qbot.yml @@ -8,8 +8,6 @@ modified: 2021/01/25 tags: - attack.execution - attack.t1059.005 - - attack.defense_evasion # an old one - - attack.t1064 # an old one references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ diff --git a/rules/windows/process_creation/win_malware_ryuk.yml b/rules/windows/process_creation/win_malware_ryuk.yml index d5a013d24..0505a7518 100644 --- a/rules/windows/process_creation/win_malware_ryuk.yml +++ b/rules/windows/process_creation/win_malware_ryuk.yml @@ -25,4 +25,3 @@ level: critical tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 991f5f3a1..7457d8f48 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -37,5 +37,3 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.defense_evasion # an old one - - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 5498fac78..b9bc99598 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -58,7 +58,6 @@ tags: - attack.t1083 - attack.defense_evasion - attack.t1222.001 - - attack.t1222 # an old one - attack.impact - attack.t1486 - attack.t1490 diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index a1ceeef7a..465d9c9de 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -20,6 +20,5 @@ falsepositives: - unknown level: critical tags: - - attack.t1055 # an old one - attack.t1055.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index f7fe4b4bf..59be92668 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -10,7 +10,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index c876678d4..4ba3573a8 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -10,7 +10,6 @@ date: 2019/10/22 modified: 2021/12/20 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/process_creation/win_mmc20_lateral_movement.yml b/rules/windows/process_creation/win_mmc20_lateral_movement.yml index 4a2128d2f..87f5f84ab 100644 --- a/rules/windows/process_creation/win_mmc20_lateral_movement.yml +++ b/rules/windows/process_creation/win_mmc20_lateral_movement.yml @@ -22,5 +22,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1175 # an old one - attack.t1021.003 diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index a5718cb6b..1d5e81243 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -33,5 +33,4 @@ fields: level: high tags: - attack.lateral_movement - - attack.t1175 # an old one - attack.t1021.003 diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 7b146ad29..f818a52a8 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -6,9 +6,7 @@ references: status: experimental tags: - attack.persistence - - attack.t1031 # an old one - attack.t1543.003 - - attack.t1058 # an old one - attack.t1574.011 author: Sreeman date: 2020/09/29 diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 2c178ca7e..6a83af5e9 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1170 # an old one - attack.t1218.005 diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 2bdbff9c6..3d47a06ee 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -35,7 +35,6 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1170 # an old one - attack.t1218.005 - car.2013-02-003 - car.2013-03-001 diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index fe8e125f4..b20d4c064 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -30,5 +30,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index 1bef8de86..c875ca215 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -29,5 +29,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index 82a419946..4dc66d7ef 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -24,5 +24,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml index d8abf36bc..f20dced4e 100644 --- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml @@ -57,5 +57,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index 93134c22e..7182f6f9c 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -25,5 +25,4 @@ level: low tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 68cb6815d..c772b686b 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index e06da5ede..c71a80191 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -52,5 +52,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index fbb81445b..c920f4450 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -7,7 +7,6 @@ references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 - attack.g0046 - car.2013-05-002 diff --git a/rules/windows/process_creation/win_pc_cmd_delete.yml b/rules/windows/process_creation/win_pc_cmd_delete.yml new file mode 100644 index 000000000..6b9cba57b --- /dev/null +++ b/rules/windows/process_creation/win_pc_cmd_delete.yml @@ -0,0 +1,30 @@ +title: Windows Cmd Delete File +id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 +status: experimental +description: | + Adversaries may delete files left behind by the actions of their intrusion activity. + Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. + Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +author: frack113 +date: 2022/01/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|contains|all: + - 'del ' + - /f + - CommandLine|contains|all: + - rmdir + - /s + - /q + condition: selection +falsepositives: + - Legitim script +level: low +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/process_creation/win_pc_cmd_redirect.yml b/rules/windows/process_creation/win_pc_cmd_redirect.yml new file mode 100644 index 000000000..44582efde --- /dev/null +++ b/rules/windows/process_creation/win_pc_cmd_redirect.yml @@ -0,0 +1,22 @@ +title: Redirect Output in CommandLine +id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a +status: experimental +description: Use ">" to redicrect information in commandline +author: frack113 +references: + - https://ss64.com/nt/syntax-redirection.html +date: 2022/01/22 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cmd.exe' + CommandLine|contains: '>' + condition: selection +falsepositives: + - Unknown +level: low +tags: + - attack.discovery + - attack.t1082 diff --git a/rules/windows/process_creation/win_pc_dsim_remove.yml b/rules/windows/process_creation/win_pc_dsim_remove.yml new file mode 100644 index 000000000..fef0d5ff6 --- /dev/null +++ b/rules/windows/process_creation/win_pc_dsim_remove.yml @@ -0,0 +1,37 @@ +title: Dism Remove Online Package +id: 43e32da2-fdd0-4156-90de-50dfd62636f9 +status: experimental +description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +author: frack113 +date: 2022/01/16 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism +logsource: + category: process_creation + product: windows +detection: + selection_dismhost: + Image|endswith: '\DismHost.exe' + ParentCommandLine|contains|all: + - '/online' + - '/Disable-Feature' + - '/FeatureName:' + - '/Remove' + #/NoRestart + #/quiet + selection_dism: + Image|endswith: '\Dism.exe' + CommandLine|contains|all: + - '/online' + - '/Disable-Feature' + - '/FeatureName:' + - '/Remove' + #/NoRestart + #/quiet + condition: 1 of selection_* +falsepositives: + - Legitim script +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_msiexec_execute_dll.yml b/rules/windows/process_creation/win_pc_msiexec_execute_dll.yml new file mode 100644 index 000000000..6c82e64d1 --- /dev/null +++ b/rules/windows/process_creation/win_pc_msiexec_execute_dll.yml @@ -0,0 +1,27 @@ +title: Suspisious Msiexec Execute Arbitrary DLL +id: 6f4191bb-912b-48a8-9ce7-682769541e6d +status: experimental +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +author: frack113 +date: 2022/01/16 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\msiexec.exe' + CommandLine|contains|all: + - ' /y' + #- '.dll' + condition: selection +falsepositives: + - Legitim script +level: medium +tags: + - attack.defense_evasion + - attack.t1218.007 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_msiexec_install_quiet.yml b/rules/windows/process_creation/win_pc_msiexec_install_quiet.yml new file mode 100644 index 000000000..704e600df --- /dev/null +++ b/rules/windows/process_creation/win_pc_msiexec_install_quiet.yml @@ -0,0 +1,27 @@ +title: Suspisious Msiexec Quiet Install +id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5 +status: experimental +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +author: frack113 +date: 2022/01/16 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\msiexec.exe' + CommandLine|contains|all: + - ' /i' + - ' /q' + condition: selection +falsepositives: + - Legitim script +level: low +tags: + - attack.defense_evasion + - attack.t1218.007 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_run_from_zip.yml b/rules/windows/process_creation/win_pc_run_from_zip.yml new file mode 100644 index 000000000..e7fc41db3 --- /dev/null +++ b/rules/windows/process_creation/win_pc_run_from_zip.yml @@ -0,0 +1,21 @@ +title: Run from a Zip File +id: 1a70042a-6622-4a2b-8958-267625349abf +status: experimental +description: Payloads may be compressed, archived, or encrypted in order to avoid detection +author: frack113 +date: 2021/12/26 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: '.zip\' + condition: selection +falsepositives: + - unknown +level: medium +tags: + - attack.impact + - attack.t1485 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml b/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml new file mode 100644 index 000000000..791898f77 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml @@ -0,0 +1,30 @@ +title: Obfuscated Command Line Using Special Unicode Characters +id: e0552b19-5a83-4222-b141-b36184bb8d79 +status: experimental +description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +author: frack113 +references: + - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http +date: 2022/01/15 +logsource: + category: process_creation + product: windows +detection: + selection: + #find the sysmon event + CommandLine|contains: + - 'â' + - '€' + - '£' + - '¯' + - '®' + - 'µ' + - '¶' + condition: selection +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1027 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_susp_curl_useragent.yml b/rules/windows/process_creation/win_pc_susp_curl_useragent.yml new file mode 100644 index 000000000..f2a7d88f1 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_curl_useragent.yml @@ -0,0 +1,31 @@ +title: Suspicious Curl Change User Agents +id: 3286d37a-00fd-41c2-a624-a672dcd34e60 +status: experimental +description: Detects a suspicious curl process start on Windows with set useragent options +author: frack113 +references: + - https://curl.se/docs/manpage.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd +date: 2022/01/23 +logsource: + category: process_creation + product: windows +detection: + selection_curl: + - Image|endswith: '\curl.exe' + - Product: 'The curl executable' + selection_opt: + CommandLine|contains: + - ' -A ' + - ' --user-agent ' + condition: all of selection_* +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/windows/process_creation/win_pc_susp_instalutil.yml b/rules/windows/process_creation/win_pc_susp_instalutil.yml new file mode 100644 index 000000000..cbf7ebc50 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_instalutil.yml @@ -0,0 +1,25 @@ +title: Suspicious Execution of InstallUtil Without Log +id: d042284c-a296-4988-9be5-f424fadcc28c +status: experimental +description: Uses the .NET InstallUtil.exe application in order to execute image without log +author: frack113 +references: + - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ + - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +date: 2022/01/23 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: \InstallUtil.exe + Image|contains: Microsoft.NET\Framework64\ + CommandLine|contains|all: + - '/logfile= ' + - '/LogToConsole=false' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/win_pc_susp_radmin.yml b/rules/windows/process_creation/win_pc_susp_radmin.yml new file mode 100644 index 000000000..4e90803f2 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_radmin.yml @@ -0,0 +1,25 @@ +title: Use Radmin Viewer Utility +id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d +status: experimental +description: An adversary may use Radmin Viewer Utility to remotely control Windows device +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md#atomic-test-1---radmin-viewer-utility + - https://www.radmin.fr/ +date: 2022/01/22 +logsource: + category: process_creation + product: windows +detection: + selection: + - Description: 'Radmin Viewer' + - Product: 'Radmin Viewer' + - OriginalFileName: 'Radmin.exe' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.lateral_movement + - attack.t1072 diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml new file mode 100644 index 000000000..e9a92cdbb --- /dev/null +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -0,0 +1,24 @@ +title: Uninstall Sysinternals Sysmon +id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 +status: experimental +description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon +author: frack113 +date: 2022/01/12 +logsource: + category: process_creation + product: windows +detection: + sysmon: + Image|endswith: + - \Sysmon64.exe + - \Sysmon.exe + CommandLine|contains: '-u' + condition: sysmon +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index b49d01714..541f37f4c 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -93,5 +93,4 @@ level: high tags: - attack.s0013 - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 604cf1171..8f0583ae3 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -31,12 +31,8 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1118 # an old one - attack.t1218.004 - - attack.t1121 # an old one - attack.t1218.009 - - attack.t1127 # an old one - attack.t1127.001 - - attack.t1170 # an old one - attack.t1218.005 - attack.t1218 # no way to map 1:1, so the technique level is required diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml index 8c0411ff2..d8a7dae29 100755 --- a/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml +++ b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml @@ -6,7 +6,6 @@ references: - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ tags: - attack.privilege_escalation - - attack.t1058 # an old one - attack.t1574.011 status: experimental author: Teymur Kheirkhabarov diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 09998eae9..2c58a5c20 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -24,5 +24,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/process_creation/win_powershell_defender_exclusion.yml b/rules/windows/process_creation/win_powershell_defender_exclusion.yml index cb815be74..a4878832d 100644 --- a/rules/windows/process_creation/win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/win_powershell_defender_exclusion.yml @@ -5,18 +5,21 @@ description: Detects requests to exclude files, folders or processes from Antivi references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 tags: - attack.defense_evasion - attack.t1562.001 author: Florian Roth date: 2021/04/29 -modified: 2021/07/12 +modified: 2022/01/19 logsource: category: process_creation product: windows detection: selection1: - CommandLine|contains: 'Add-MpPreference ' + CommandLine|contains: + - 'Add-MpPreference ' + - 'Set-MpPreference ' selection2: CommandLine|contains: - ' -ExclusionPath ' diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index f9cdc7643..3daa30895 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -11,7 +11,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 4fc137225..befce328c 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml index 70e0f1d72..856abdef9 100644 --- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml @@ -31,5 +31,4 @@ level: medium tags: - attack.defense_evasion - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 37b1e3235..f68352373 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -26,6 +26,5 @@ falsepositives: - unknown level: medium tags: - - attack.t1086 # an old one - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml index 06cee06aa..58199e0fa 100644 --- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -10,7 +10,6 @@ date: 2021/03/03 modified: 2021/06/27 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index cdbf19a7c..2727ed012 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -61,5 +61,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index c09ec56b0..7b42b8dd9 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1086 # an old one - attack.t1059.001 - attack.t1140 - attack.t1027 diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index 32304fcde..4b13c0cca 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -38,8 +38,6 @@ tags: - attack.execution - attack.persistence - attack.privilege_escalation - - attack.t1053 # an old one - - attack.t1086 # an old one - attack.s0111 - attack.g0022 - attack.g0060 diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index cc7e331b6..d4040c6ab 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -12,7 +12,6 @@ date: 2019/02/23 modified: 2021/11/24 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 - attack.t1036.005 logsource: diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index c261b918a..9bacedfbd 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -13,7 +13,6 @@ tags: - attack.defense_evasion - attack.t1036 - attack.credential_access - - attack.t1003 # an old one - car.2013-05-009 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index c854fac36..78252d478 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -17,6 +17,5 @@ falsepositives: level: low tags: - attack.execution - - attack.t1035 # an old one - attack.s0029 - attack.t1569.002 diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml index 1d0969a5f..987211efa 100644 --- a/rules/windows/process_creation/win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -1,10 +1,10 @@ title: PurpleSharp Indicator id: ff23ffbc-3378-435e-992f-0624dcf93ab4 status: experimental -description: Detect +description: Detects the execution of the PurpleSharp adversary simulation tool author: Florian Roth date: 2021/06/18 -modified: 2021/07/06 +modified: 2022/01/12 references: - https://github.com/mvelazc0/PurpleSharp logsource: @@ -16,8 +16,7 @@ detection: - xyz123456.exe - PurpleSharp selection2: - OriginalFileName: - - 'PurpleSharp.exe' + OriginalFileName: 'PurpleSharp.exe' condition: selection1 or selection2 falsepositives: - Unlikely diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml index 27e8145f1..f4e243d03 100644 --- a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -26,7 +26,6 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1059 # an old one - attack.t1106 - attack.t1059.003 - attack.t1218.011 diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 64886809f..918ecf848 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - attack.t1021.006 logsource: diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 0f827f6d0..67777f2f1 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -65,5 +65,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index 9bdd3dfa4..7985b931c 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -49,5 +49,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml index 6c207f7ba..46e925dcd 100644 --- a/rules/windows/process_creation/win_renamed_jusched.yml +++ b/rules/windows/process_creation/win_renamed_jusched.yml @@ -25,5 +25,4 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index 8213ed3fe..02c8e11b8 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 - attack.g0046 - car.2013-05-009 diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml index 59633afe4..3f6dfa2b4 100644 --- a/rules/windows/process_creation/win_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -10,7 +10,6 @@ modified: 2021/07/03 tags: - car.2013-05-009 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index 88783c5d7..843aa8c3e 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -9,7 +9,6 @@ date: 2019/11/18 modified: 2021/08/16 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml index 9301e549c..5ab16c728 100644 --- a/rules/windows/process_creation/win_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -26,5 +26,4 @@ level: high tags: - car.2013-05-009 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_run_executable_invalid_extension.yml b/rules/windows/process_creation/win_run_executable_invalid_extension.yml new file mode 100644 index 000000000..e3a07fbe1 --- /dev/null +++ b/rules/windows/process_creation/win_run_executable_invalid_extension.yml @@ -0,0 +1,26 @@ +title: Application Executed Non-Executable Extension +id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf +status: experimental +description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file +references: + - https://twitter.com/mrd0x/status/1481630810495139841?s=12 +author: Tim Shelton, Florian Roth +date: 2022/01/13 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + filter_empty: + CommandLine: null + filter: + - CommandLine|contains: '.dll' + - CommandLine: '' + condition: selection and not 1 of filter* +fields: + - Image + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml index 236e6441a..1e3a8da04 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1096 # an old one - attack.t1564.004 diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index c688f5fa9..e1113ee4b 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -8,7 +8,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.011 - - attack.t1138 # an old one author: Markus Neis date: 2019/01/16 modified: 2021/08/14 diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 5fc3a2a35..9b350bdda 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -22,5 +22,4 @@ falsepositives: level: low tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml index bfff03645..b2b8b1b67 100644 --- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml @@ -21,6 +21,5 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/process_creation/win_shell_spawn_mshta.yml b/rules/windows/process_creation/win_shell_spawn_mshta.yml index d77e607c1..9bc718927 100644 --- a/rules/windows/process_creation/win_shell_spawn_mshta.yml +++ b/rules/windows/process_creation/win_shell_spawn_mshta.yml @@ -10,7 +10,6 @@ date: 2021/06/28 tags: - attack.execution - attack.defense_evasion - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index b215a6ab5..bd5146fed 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -39,7 +39,6 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index e88cda05d..1f818c290 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -26,4 +26,3 @@ level: medium tags: - attack.credential_access - attack.t1558.003 - - attack.t1208 # an old one diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index fc9cb34de..212852fa1 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -9,7 +9,6 @@ date: 2020/02/18 modified: 2022/01/11 author: Sreeman tags: - - attack.t1015 # an old one - attack.t1546.008 - attack.privilege_escalation logsource: diff --git a/rules/windows/process_creation/win_susp_advancedrun.yml b/rules/windows/process_creation/win_susp_advancedrun.yml new file mode 100644 index 000000000..911766159 --- /dev/null +++ b/rules/windows/process_creation/win_susp_advancedrun.yml @@ -0,0 +1,28 @@ +title: Suspicious AdvancedRun Execution +id: d2b749ee-4225-417e-b20e-a8d2193cbb84 +status: experimental +description: Detects the execution of AdvancedRun utitlity +references: + - https://twitter.com/splinter_code/status/1483815103279603714 + - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 + - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +author: Florian Roth +date: 2022/01/20 +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: '\AdvancedRun.exe' + - CommandLine|contains|all: + - ' /EXEFilename ' + - ' /Run' + - CommandLine|contains|all: + - ' /WindowState 0' + - ' /RunAs ' + - ' /CommandLine ' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml b/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml new file mode 100644 index 000000000..9401ed7d6 --- /dev/null +++ b/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml @@ -0,0 +1,30 @@ +title: Suspicious AdvancedRun Runas Priv User +id: fa00b701-44c6-4679-994d-5a18afa8a707 +status: experimental +description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller or SYSTEM account +references: + - https://twitter.com/splinter_code/status/1483815103279603714 + - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 + - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +author: Florian Roth +date: 2022/01/20 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '/EXEFilename' + - '/CommandLine' + selection_runas: + - CommandLine|contains: + - ' /RunAs 8 ' + - ' /RunAs 4 ' + - CommandLine|endswith: + - '/RunAs 8' + - '/RunAs 4' + condition: all of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index b6c580934..1e2238e94 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -13,7 +13,6 @@ tags: - attack.t1070 - attack.persistence - attack.t1542.003 - - attack.t1067 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml index 79e852bb6..b8405479e 100644 --- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -33,5 +33,4 @@ falsepositives: level: high tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.002 diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index ceb84518a..6aefefbfe 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -32,6 +32,3 @@ level: high tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1020 # an old one - - attack.t1002 # an old one diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index c25161a86..f5d59fe57 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -33,4 +33,3 @@ tags: - attack.t1218.011 - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index a435db36c..d39c81233 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 37a2d98d3..d133ba198 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -42,6 +42,5 @@ tags: - attack.collection - attack.exfiltration - attack.t1039 - - attack.t1105 # an old one - attack.t1048 - attack.t1021.002 diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index a7900d6a3..e1c9bd854 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -32,5 +32,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1059.001 - - attack.t1564.003 - - attack.t1086 # an old one + - attack.t1564.003 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index 9a5f1afb3..8b2ae8d21 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -11,7 +11,6 @@ tags: - attack.t1059.003 - attack.t1059.001 - attack.s0106 - - attack.t1086 # an old one author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 587425522..aa1c2aef0 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -36,5 +36,3 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1027.005 - - attack.t1027 # an old one - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 68b300326..eb15b5628 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -26,6 +26,5 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.defense_evasion - - attack.t1500 # an old one - attack.t1218.005 - attack.t1027.004 diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 96ff5178b..3fbae6f32 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -12,7 +12,6 @@ date: 2019/08/24 modified: 2021/02/01 tags: - attack.defense_evasion - - attack.t1500 # an old one - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_curl_fileupload.yml b/rules/windows/process_creation/win_susp_curl_fileupload.yml index c76ac44c5..dbe45bb0f 100644 --- a/rules/windows/process_creation/win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/win_susp_curl_fileupload.yml @@ -6,15 +6,22 @@ author: Florian Roth references: - https://twitter.com/d1r4c/status/1279042657508081664 - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file + - https://curl.se/docs/manpage.html date: 2020/07/03 -modified: 2021/11/27 +modified: 2022/01/22 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\curl.exe' - CommandLine|contains: ' -F ' + CommandLine|contains: + - ' -F ' + - ' -T ' + - ' --upload-file ' + - ' -d ' + - ' --data ' condition: selection fields: - CommandLine @@ -25,3 +32,4 @@ level: medium tags: - attack.exfiltration - attack.t1567 + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml index e758f6315..30deb267c 100644 --- a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml @@ -30,4 +30,3 @@ level: high tags: - attack.defense_evasion - attack.t1055.001 - - attack.t1055 # an old one diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml index f8d0c8f9f..9b2ab10a9 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1218 - - attack.execution # an old one + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 1333585a3..ba1ad00df 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -37,4 +37,3 @@ level: medium tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_susp_disable_ie_features.yml b/rules/windows/process_creation/win_susp_disable_ie_features.yml index 96cb4a40a..a7a95326e 100644 --- a/rules/windows/process_creation/win_susp_disable_ie_features.yml +++ b/rules/windows/process_creation/win_susp_disable_ie_features.yml @@ -30,4 +30,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/windows/process_creation/win_susp_ditsnap.yml b/rules/windows/process_creation/win_susp_ditsnap.yml index d5ed9858c..899c82581 100644 --- a/rules/windows/process_creation/win_susp_ditsnap.yml +++ b/rules/windows/process_creation/win_susp_ditsnap.yml @@ -25,4 +25,3 @@ level: high tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 24ae43496..447355b3a 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1027.004 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index d14cf33a6..ea3f5a4e1 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -32,4 +32,3 @@ level: critical tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 1fe56e4ed..31a2e2bef 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index b2d6bc67a..a0ddf9485 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -37,5 +37,4 @@ level: high tags: - attack.defense_evasion - attack.t1070.001 - - attack.t1070 # an old one - car.2016-04-002 diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index 9e1ad907d..8f63d9810 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -32,4 +32,3 @@ level: medium tags: - attack.persistence - attack.t1505.003 - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml index 7bfd6a159..b140f479a 100644 --- a/rules/windows/process_creation/win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -11,8 +11,6 @@ modified: 2021/06/27 tags: - attack.execution - attack.t1059.006 - - attack.defense_evasion # an old one - - attack.t1064 # an old one logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 5751fdad8..4d09b1602 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -26,4 +26,3 @@ level: high tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 941506213..afb95cec6 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.persistence - attack.t1505.003 - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml index 9d22cc0af..e2ede2aeb 100644 --- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml @@ -25,4 +25,3 @@ level: high tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index dee88ff69..8327351a0 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -20,4 +20,3 @@ level: medium tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index 1bb004701..5dd9e0c24 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -27,5 +27,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218.008 - - attack.execution # an old one - - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml index bff1cf575..92bcf7e23 100644 --- a/rules/windows/process_creation/win_susp_openwith.yml +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -22,4 +22,3 @@ level: high tags: - attack.defense_evasion - attack.t1218 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index 2059eb01a..6124d0ec2 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -8,7 +8,6 @@ modified: 2021/06/27 tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 #an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml index 38ebf22eb..88c8c7bc2 100644 --- a/rules/windows/process_creation/win_susp_pcwutl.yml +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -24,5 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218.011 - - attack.execution # an old one - - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 9d4a166a7..f8ed94c4f 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -29,4 +29,3 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index 194fb3f6d..eab62357c 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -27,5 +27,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one - car.2019-04-001 diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 760907af5..c54e1962a 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -10,7 +10,6 @@ modified: 2021/03/02 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml index 8a47cb294..f097432ae 100644 --- a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml +++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml @@ -20,6 +20,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 7d449f116..ffdd8aded 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -71,4 +71,3 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 3a70cb1e3..f11b4433a 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -29,4 +29,3 @@ level: medium tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index 9d379112e..ec85223dd 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -57,4 +57,3 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml index 299ed2930..8efcfe570 100644 --- a/rules/windows/process_creation/win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml @@ -11,8 +11,7 @@ tags: - attack.defense_evasion - attack.t1036 - attack.credential_access - - attack.t1003.001 - - attack.t1003 # an old one + - attack.t1003.001 - car.2013-05-009 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index 18bbbbebb..1a19bc555 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,7 +8,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/09 modified: 2021/11/28 diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml index b6b71035f..d6ab62278 100644 --- a/rules/windows/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml @@ -23,7 +23,6 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.command_and_control - attack.t1104 - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml index b4a58ce1d..7055b8ae2 100644 --- a/rules/windows/process_creation/win_susp_rar_flags.yml +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -12,8 +12,6 @@ modified: 2021/07/27 tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 86a20dd25..bf1f81614 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059 - - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml index 8712392b9..ec29da6a7 100644 --- a/rules/windows/process_creation/win_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -12,7 +12,6 @@ tags: - attack.discovery - attack.t1087.001 - attack.t1087.002 - - attack.t1087 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 0e98a9e1f..41133d360 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -11,8 +11,6 @@ references: tags: - attack.defense_evasion - attack.t1218.010 - - attack.execution # an old one - - attack.t1117 # an old one - car.2019-04-002 - car.2019-04-003 logsource: diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml index fea242d3d..03d3ccf4f 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -26,4 +26,3 @@ level: high tags: - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml b/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml index 0c347cf21..f7690358b 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN references: - https://twitter.com/mrd0x/status/1461041276514623491c19-ps + - https://twitter.com/tccontre18/status/1480950986650832903 tags: - attack.defense_evasion - attack.t1218.010 @@ -15,8 +16,8 @@ logsource: detection: selection_flags: CommandLine|contains|all: - - ' /s ' - - ' /u ' + - ' /s' + - ' /u' selection_ip: CommandLine|contains: - ' /i:http://1' diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 5c9525cad..76bdf7c29 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -74,6 +74,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.execution # an old one - attack.t1218.011 - - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 367971c00..799053628 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -8,9 +8,7 @@ references: - https://twitter.com/cyb3rops/status/1186631731543236608 tags: - attack.defense_evasion - - attack.execution # an old one - attack.t1218.011 - - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 modified: 2021/12/08 diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index bc671f4cf..ecb3d7a8e 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -25,7 +25,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1053.005 - - attack.t1053 # an old one - attack.s0111 - car.2013-08-001 falsepositives: diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 4b52d2493..9b011d35f 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -29,4 +29,4 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one + diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index 116b6c54a..733b00059 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -31,4 +31,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 - - attack.t1031 # an old one diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 11c66ddbc..8217e0459 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -6,7 +6,6 @@ author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2021/06/27 tags: - - attack.t1100 # an old one - attack.t1505.003 - attack.t1190 - attack.initial_access diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index c8b351ed9..ea3b72cae 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2021/12/07 +modified: 2022/01/12 logsource: category: process_creation product: windows @@ -24,10 +24,11 @@ detection: - '--createShortcut' CommandLine|contains|all: - '.exe' - filter: + filter1: CommandLine|contains|all: - - 'C:\\Users\\' - - '\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe' + - 'C:\Users\' + - '\AppData\Local\Discord\Update.exe' + - ' --processStart Discord.exe' condition: selection and not 1 of filter* falsepositives: - 1Clipboard diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index af0cdb025..33755d48f 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -5,7 +5,6 @@ description: Detects a suspicious svchost process start tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one author: Florian Roth date: 2017/08/15 modified: 2021/12/03 diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 4c62a63c3..c48a543f1 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -23,4 +23,3 @@ level: medium tags: - attack.credential_access - attack.t1552.006 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index c7e82c10a..0a90bd343 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -21,6 +21,5 @@ level: high tags: - attack.lateral_movement - attack.t1563.002 - - attack.t1076 # an old one - attack.t1021.001 - car.2013-07-002 diff --git a/rules/windows/process_creation/win_susp_winrar_dmp.yml b/rules/windows/process_creation/win_susp_winrar_dmp.yml index 450a62401..26acf49b3 100644 --- a/rules/windows/process_creation/win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/win_susp_winrar_dmp.yml @@ -6,11 +6,6 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth date: 2022/01/04 -tags: - - attack.collection - - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows @@ -25,4 +20,7 @@ detection: condition: selection and dumpfile falsepositives: - Legitimate use of WinRAR with a command line in which .dmp appears incidentally -level: high \ No newline at end of file +level: high +tags: + - attack.collection + - attack.t1560.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_winrar_execution.yml b/rules/windows/process_creation/win_susp_winrar_execution.yml index f7f0bbb6f..3f65047b3 100644 --- a/rules/windows/process_creation/win_susp_winrar_execution.yml +++ b/rules/windows/process_creation/win_susp_winrar_execution.yml @@ -10,8 +10,6 @@ modified: 2021/11/22 tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index e45421438..79b05e66a 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -13,8 +13,6 @@ tags: - attack.persistence - attack.execution - attack.t1574.002 - - attack.t1059 # an old one - - attack.t1064 # an old one logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index 8e731a03d..fcf0bf8be 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -30,5 +30,3 @@ tags: - attack.defense_evasion - attack.t1548.002 - attack.t1218.003 - - attack.t1191 # an old one - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index 2e11331ae..22dcb8137 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -25,4 +25,3 @@ level: high tags: - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index 948c66174..877ffb1b4 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -22,4 +22,3 @@ level: high tags: - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 5b06496a8..fea0fc749 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -14,8 +14,6 @@ tags: - attack.t1018 - attack.t1033 - attack.t1087 - - attack.privilege_escalation # an old one - - attack.t1100 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml index 1686926ee..6ae3785b5 100644 --- a/rules/windows/process_creation/win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/win_webshell_recon_detection.yml @@ -39,5 +39,3 @@ level: high tags: - attack.persistence - attack.t1505.003 - - attack.privilege_escalation # an old one - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 762ee4c21..e1d133705 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -34,5 +34,4 @@ level: high tags: - attack.persistence - attack.t1505.003 - - attack.privilege_escalation # an old one - attack.t1190 diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 8bdca5328..5627d30b2 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -25,5 +25,4 @@ level: high tags: - attack.privilege_escalation - attack.t1053.005 - - attack.t1053 # an old one - car.2013-08-001 diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index d7a084782..672859839 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -21,4 +21,3 @@ level: critical tags: - attack.persistence - attack.t1546.003 - - attack.t1084 # an old one diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml index 2f6e315fe..d0ce675cc 100644 --- a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -22,4 +22,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.003 - - attack.t1047 # an old one diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index 90a71de04..90b422eab 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -8,12 +8,6 @@ references: author: Markus Neis / @Karneades date: 2019/04/03 modified: 2021/02/24 -tags: - - attack.execution - - attack.t1047 - - attack.t1059.001 - - attack.defense_evasion # an old one - - attack.t1064 # an old one logsource: category: process_creation product: windows @@ -32,3 +26,7 @@ falsepositives: - AppvClient - CCM level: high +tags: + - attack.execution + - attack.t1047 + - attack.t1059.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml index 52d386477..612ecd044 100644 --- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml @@ -26,4 +26,3 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index de22303eb..b861ce72e 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -35,4 +35,3 @@ level: medium tags: - attack.defense_evasion - attack.t1220 - - attack.execution # an old one diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 254351b3b..16802f56e 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -4,7 +4,7 @@ description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community status: test date: 2019/10/22 -modified: 2022/02/02 +modified: 2022/01/02 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index ecf8aba9b..bfdd0738b 100644 --- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -11,7 +11,7 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/09/24 +modified: 2022/01/13 fields: - EventID - CommandLine @@ -22,6 +22,7 @@ logsource: category: registry_event detection: selection: + EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' Details|endswith: - .sh diff --git a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml index 7378e096c..36a523e37 100644 --- a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml @@ -7,19 +7,6 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -tags: - - attack.persistence - - attack.g0049 - - attack.t1053 # an old one - - attack.t1053.005 - - attack.s0111 - - attack.t1050 # an old one - - attack.t1543.003 - - attack.defense_evasion - - attack.t1112 - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community @@ -34,4 +21,14 @@ detection: condition: selection_reg1 falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical +tags: + - attack.persistence + - attack.g0049 + - attack.t1053.005 + - attack.s0111 + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071.004 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index 0d3faa4e0..cc6bcbd94 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/10/18 +modified: 2022/01/13 author: Ján Trenčanský, frack113, AlertIQ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -14,7 +14,6 @@ references: status: experimental tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows @@ -27,6 +26,7 @@ detection: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus' Details: 'DWORD (0x00000001)' selection2: + EventType: SetValue TargetObject: - 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend' - 'HKLM\SOFTWARE\Microsoft\Windows Defender' diff --git a/rules/windows/registry_event/registry_event_defender_exclusions.yml b/rules/windows/registry_event/registry_event_defender_exclusions.yml index 1840ff84f..863ce5553 100644 --- a/rules/windows/registry_event/registry_event_defender_exclusions.yml +++ b/rules/windows/registry_event/registry_event_defender_exclusions.yml @@ -12,7 +12,6 @@ references: status: test tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml index fc25febc7..938a1f7c1 100755 --- a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -10,7 +10,6 @@ modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/registry_event/registry_event_mal_adwind.yml b/rules/windows/registry_event/registry_event_mal_adwind.yml index 3bdba761b..7c4060d17 100644 --- a/rules/windows/registry_event/registry_event_mal_adwind.yml +++ b/rules/windows/registry_event/registry_event_mal_adwind.yml @@ -10,18 +10,18 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2021/09/19 -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 - - attack.t1064 # an old one +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection level: high +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 \ No newline at end of file diff --git a/rules/windows/malware/registry_event_mal_azorult.yml b/rules/windows/registry_event/registry_event_mal_azorult.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_azorult.yml rename to rules/windows/registry_event/registry_event_mal_azorult.yml diff --git a/rules/windows/malware/registry_event_mal_blue_mockingbird.yml b/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_blue_mockingbird.yml rename to rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml diff --git a/rules/windows/malware/registry_event_mal_flowcloud.yml b/rules/windows/registry_event/registry_event_mal_flowcloud.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_flowcloud.yml rename to rules/windows/registry_event/registry_event_mal_flowcloud.yml diff --git a/rules/windows/malware/registry_event_mal_netwire.yml b/rules/windows/registry_event/registry_event_mal_netwire.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_netwire.yml rename to rules/windows/registry_event/registry_event_mal_netwire.yml diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/registry_event/registry_event_mal_ursnif.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_ursnif.yml rename to rules/windows/registry_event/registry_event_mal_ursnif.yml diff --git a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml index 8f5c2b1bf..597e33ad0 100644 --- a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml @@ -9,7 +9,6 @@ date: 2018/03/20 modified: 2021/09/21 tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 logsource: diff --git a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml index 595145857..7a542b20e 100755 --- a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml @@ -5,13 +5,6 @@ description: Detects the usage and installation of a backdoor that uses an optio status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1015 # an old one - - attack.t1546.008 - - car.2014-11-003 - - car.2014-11-008 author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 modified: 2021/09/12 @@ -30,4 +23,10 @@ detection: condition: selection_registry falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1546.008 + - car.2014-11-003 + - car.2014-11-008 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml index 01603e588..bb1ad8524 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -8,12 +8,6 @@ references: author: Florian Roth date: 2017/03/19 modified: 2021/09/12 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 # an old one - - attack.t1548.002 - - car.2019-04-001 logsource: product: windows category: registry_event @@ -25,3 +19,8 @@ detection: falsepositives: - unknown level: critical +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml index 43efa10c9..5280038f2 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml @@ -3,6 +3,7 @@ id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) author: Christian Burkard date: 2021/08/30 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|' TargetObject|endswith: '\LowerCaseLongPath' Details|startswith: 'c:\users\' diff --git a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml index 22f04a705..ea145d3c0 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml @@ -3,6 +3,7 @@ id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) author: Christian Burkard date: 2021/08/23 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' Details: 'Binary Data' condition: selection diff --git a/rules/windows/registry_event/sysmon_apt_leviathan.yml b/rules/windows/registry_event/sysmon_apt_leviathan.yml index c32419187..26311a8cc 100644 --- a/rules/windows/registry_event/sysmon_apt_leviathan.yml +++ b/rules/windows/registry_event/sysmon_apt_leviathan.yml @@ -4,10 +4,6 @@ status: experimental description: Detects registry key used by Leviathan APT in Malaysian focused campaign references: - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 author: Aidan Bracher date: 2020/07/07 modified: 2021/09/13 @@ -19,3 +15,6 @@ detection: TargetObject: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd' condition: selection level: critical +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 65923ce35..0eba0db70 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -6,10 +6,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys -tags: - - attack.persistence - - attack.t1547.001 - - attack.t1060 # an old one date: 2019/10/25 modified: 2021/12/05 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton @@ -215,3 +211,6 @@ fields: falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml index 2cb80ab88..44b01ed98 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: classes_base: + EventType: SetValue TargetObject|contains: '\Software\Classes' classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml index e9d0e9331..f797c50fe 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: main_selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml index 1b1bd16f6..8e3ffd89c 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: system_control_base: + EventType: SetValue TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' system_control: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 9c4e8b390..3e823aa25 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/27 +modified: 2022/01/19 logsource: category: registry_event product: windows detection: current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' current_version: TargetObject|contains: @@ -42,6 +43,7 @@ detection: - Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - Image: - 'C:\WINDOWS\system32\devicecensus.exe' + - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' filter_edge: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml index b6bdedcbc..f5b79b9cd 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/19 logsource: category: registry_event product: windows detection: nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' nt_current_version: TargetObject|contains: @@ -36,6 +37,9 @@ detection: - '\Windows\Load' filter: Details: '(Empty)' + filter_edge: + Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\' + Image|endswith: '\MicrosoftEdgeUpdate.exe' condition: nt_current_version_base and nt_current_version and not filter fields: - SecurityID diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml index 13a3112d1..b78b65a14 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: ie: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Internet Explorer' - '\Software\Microsoft\Internet Explorer' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml index 46a4479e5..235706a41 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: office: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Office' - '\Software\Microsoft\Office' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml index 08830dc05..7ccafcdcc 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: session_manager_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager' session_manager: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml index 0b721eb8b..41cbd4739 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: scripts_base: + EventType: SetValue TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts' scripts: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml index b283e6a61..318b9db59 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/01/08 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: winsock_parameters_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml index e7d956008..6a49c0f88 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/19 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' wow_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml index c91ab45d0..41cc28651 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_classes_base: + EventType: SetValue TargetObject|contains: '\Software\Wow6432Node\Classes' wow_classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml index 2f07e05a1..a0b9eba10 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' wow_nt_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml b/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml index 10c7f0b17..782a2365c 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml @@ -2,13 +2,6 @@ title: CMSTP Execution Registry Event id: b6d235fc-1d38-4b12-adbe-325f06728f37 status: stable description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -tags: - - attack.defense_evasion - - attack.execution - - attack.t1191 # an old one - - attack.t1218.003 - - attack.g0069 - - car.2019-04-001 author: Nik Seetharaman date: 2018/07/16 modified: 2020/12/23 @@ -28,3 +21,9 @@ detection: selection: TargetObject|contains: '\cmmgr32.exe' condition: selection +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.003 + - attack.g0069 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_cve_2020_1048.yml b/rules/windows/registry_event/sysmon_cve_2020_1048.yml index f87f36d85..c5e24e178 100644 --- a/rules/windows/registry_event/sysmon_cve_2020_1048.yml +++ b/rules/windows/registry_event/sysmon_cve_2020_1048.yml @@ -6,12 +6,13 @@ author: EagleEye Team, Florian Roth, NVISO references: - https://windows-internals.com/printdemon-cve-2020-1048/ date: 2020/05/13 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' Details|contains: - '.dll' diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml index da3724582..99fb16bc1 100755 --- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml @@ -23,6 +23,5 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index fd49c8429..8adfe4acc 100755 --- a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -28,6 +28,5 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index c5138d2bf..55b34be14 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -1,33 +1,36 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 -date: 2021/07/22 -modified: 2021/09/08 +status: experimental description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. author: Austin Songer -status: experimental references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1112 +date: 2021/07/22 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection_edge: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection_chrome: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection_firefox: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' Details: 'DWORD (1)' - condition: selection_edge or selection_chrome or selection_firefox + condition: 1 of selection_* falsepositives: - Unlikely level: medium +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_etw_disabled.yml b/rules/windows/registry_event/sysmon_etw_disabled.yml index 0694d6440..5253af2c4 100644 --- a/rules/windows/registry_event/sysmon_etw_disabled.yml +++ b/rules/windows/registry_event/sysmon_etw_disabled.yml @@ -14,12 +14,13 @@ references: - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code date: 2020/06/05 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 8d127a5ee..884564b3e 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -19,6 +19,5 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.s0005 diff --git a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml index f9e53a3dc..3dbb8e686 100644 --- a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -3,6 +3,7 @@ id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. status: experimental date: 2021/04/12 +modified: 2022/01/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.resource_development @@ -16,6 +17,7 @@ detection: selection1: TargetObject|contains: '\Services\HybridConnectionManager' selection2: + EventType: SetValue Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe' condition: selection1 or selection2 falsepositives: diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index e8302dd00..51cdc34d6 100644 --- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -19,7 +19,6 @@ falsepositives: - penetration tests, red teaming level: high tags: - - attack.t1037 # an old one - attack.t1037.001 - attack.persistence - attack.lateral_movement diff --git a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml index 2e07a2d8c..fb729a92c 100755 --- a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml @@ -22,5 +22,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 1c4d405b0..2e4d32e44 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -28,5 +28,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1182 # an old one - attack.t1546.009 diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index e54f396b2..df6b7b4d8 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -5,10 +5,6 @@ description: DLLs that are specified in the AppInit_DLLs value in the Registry k into every process that loads user32.dll references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html -tags: - - attack.persistence - - attack.t1103 # an old one - - attack.t1546.010 author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019/10/25 modified: 2021/11/11 @@ -35,3 +31,6 @@ fields: falsepositives: - Unknown level: medium +tags: + - attack.persistence + - attack.t1546.010 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml index a297c6680..2da308f2c 100644 --- a/rules/windows/registry_event/sysmon_powershell_as_service.yml +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -4,7 +4,7 @@ description: Detects that a powershell code is written to the registry as a serv status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/05/21 +modified: 2022/01/13 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -15,6 +15,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Services\' TargetObject|endswith: '\ImagePath' Details|contains: diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 65ffce511..b95d8e580 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -6,12 +6,13 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html date: 2019/09/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index 190f33f2c..08f1c07fb 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -7,6 +7,7 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ date: 2021/02/26 +modified: 2022/01/13 tags: - attack.persistence - attack.t1546.012 @@ -14,7 +15,8 @@ logsource: category: registry_event product: windows detection: - selection: + selection: + EventType: SetValue TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' condition: selection diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml index 058178fcf..abdb2b3c4 100644 --- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -3,6 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 +modified: 2022/01/13 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -11,6 +12,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' Details|contains: - 'vbscript' diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2e2d8bef6..0a5a3fb67 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -7,10 +7,6 @@ references: author: Kutepov Anton, oscd.community date: 2019/10/23 modified: 2021/09/17 -tags: - - attack.persistence - - attack.t1122 # an old one - - attack.t1546.015 logsource: category: registry_event product: windows @@ -25,3 +21,6 @@ detection: falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium +tags: + - attack.persistence + - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml old mode 100755 new mode 100644 index 7b830997d..841bbd7e4 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/01/08 +modified: 2022/01/19 tags: - attack.persistence - attack.t1546.015 @@ -16,6 +16,7 @@ logsource: product: windows detection: selection: # Detect new COM servers in the user hive + EventType: SetValue TargetObject|startswith: - 'HKCR\CLSID\' - 'HKCU\Software\Classes\CLSID\' @@ -52,9 +53,10 @@ detection: Details|contains: - '\FileRepository\nvmdi.inf' filter_edge: - Image|contains|all: + - Image|contains|all: - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' - '\setup.exe' + - Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe' filter_dx: Image: 'C:\WINDOWS\SYSTEM32\dxdiag.exe' condition: selection and not 1 of filter* diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 42cbead5a..90ee32fba 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -6,12 +6,13 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' diff --git a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml index 15b607a3e..1ab4d22be 100755 --- a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml +++ b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml @@ -20,5 +20,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1193 # an old one - attack.t1566.001 diff --git a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml index 4a2d3bb86..03ff9e243 100755 --- a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml +++ b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.persistence - - attack.t1101 # an old one - attack.t1547.005 diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index b790158bc..42eeaf985 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml index 0ba4aebe0..83fa79d02 100644 --- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml @@ -23,5 +23,4 @@ level: high tags: - attack.execution - attack.persistence - - attack.t1177 # an old one - attack.t1547.008 diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 598a7756b..31e621931 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -6,12 +6,13 @@ author: Florian Roth, oscd.community references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ date: 2018/07/18 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' selection2: - Details|startswith: @@ -32,6 +33,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 - # - capec.270 diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 1bbe17aec..e4e99540b 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -5,17 +5,14 @@ description: Detects suspicious new RUN key element pointing to an executable in references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth, Markus Neis, Sander Wiebing -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 date: 2018/08/25 -modified: 2021/10/30 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' @@ -38,3 +35,6 @@ fields: falsepositives: - Software using weird folders for updates level: high +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 4fa03b7ea..47489812b 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -6,12 +6,13 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ date: 2019/04/08 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_1: + EventType: SetValue TargetObject: - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' @@ -29,6 +30,5 @@ falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. level: medium tags: - - attack.t1089 # an old one - attack.t1562.001 - attack.defense_evasion diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index c6a0fd1fb..c02cf18c9 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -7,13 +7,14 @@ references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files date: 2019/10/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: + EventType: SetValue TargetObject|contains: - '\Keyboard Layout\Preload\' - '\Keyboard Layout\Substitutes\' diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 01c566580..cbb40e35c 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -7,7 +7,7 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2021/09/17 +modified: 2022/01/13 logsource: category: registry_event product: windows @@ -15,15 +15,15 @@ detection: selection1: TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: + EventType: SetValue TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 # an old one - - attack.t1548.002 - - car.2019-04-001 falsepositives: - unknown level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml index 351020fc0..195ddd91b 100644 --- a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -10,13 +10,14 @@ tags: - attack.defense_evasion - attack.t1218 date: 2020/10/13 -modified: 2021/05/21 +modified: 2022/01/13 author: oscd.community, Natalia Shornikova logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath' filter: Details: '%CommonProgramFiles%\System\wab32.dll' diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 2d7601fa0..2014a9f78 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -32,6 +32,5 @@ tags: - attack.privilege_escalation - attack.persistence - attack.defense_evasion - - attack.t1183 # an old one - attack.t1546.012 - car.2013-01-002 diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 62dbf900b..8f438c6a1 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -6,13 +6,14 @@ author: Lednyov Alexey, oscd.community references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ date: 2020/10/16 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' detection: selection: + EventType: SetValue TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - '\Command' diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml index 148886a9a..a6b8a353b 100644 --- a/rules/windows/registry_event/win_outlook_c2_registry_key.yml +++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml @@ -12,12 +12,13 @@ tags: - attack.t1008 - attack.t1546 date: 2021/04/05 -modified: 2021/09/13 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_registry: + EventType: SetValue TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level' Details|contains: '0x00000001' condition: selection_registry diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml index 336b5dc84..089a8cc53 100644 --- a/rules/windows/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -6,6 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 +modified: 2022/01/13 tags: - attack.persistence - attack.t1112 @@ -18,6 +19,7 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: + EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: diff --git a/rules/windows/registry_event/win_re_blackbyte_ransomware.yml b/rules/windows/registry_event/win_re_blackbyte_ransomware.yml new file mode 100644 index 000000000..657fd0743 --- /dev/null +++ b/rules/windows/registry_event/win_re_blackbyte_ransomware.yml @@ -0,0 +1,27 @@ +title: Blackbyte Ransomware Registry +id: 83314318-052a-4c90-a1ad-660ece38d276 +description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption +author: frack113 +date: 2022/01/24 +status: experimental +references: + - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + TargetObject: + - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections + - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled + Details: DWORD (0x00000001) + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/win_re_change_security_zones.yml b/rules/windows/registry_event/win_re_change_security_zones.yml new file mode 100644 index 000000000..e88bc1e50 --- /dev/null +++ b/rules/windows/registry_event/win_re_change_security_zones.yml @@ -0,0 +1,27 @@ +title: IE Change Domain Zone +id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 +description: Hides the file extension through modification of the registry +author: frack113 +date: 2022/01/22 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone + - https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries +logsource: + category: registry_event + product: windows +detection: + selection_domains: + EventType: SetValue + TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ + filter: + Details: + - DWORD (0x00000000) # My Computer + - DWORD (0x00000001) # Local Intranet Zone + condition: selection_domains +falsepositives: + - Administrative scripts +level: medium +tags: + - attack.persistence + - attack.t1137 diff --git a/rules/windows/registry_event/win_re_disable_administrative_share.yml b/rules/windows/registry_event/win_re_disable_administrative_share.yml new file mode 100644 index 000000000..3a0ad3943 --- /dev/null +++ b/rules/windows/registry_event/win_re_disable_administrative_share.yml @@ -0,0 +1,26 @@ +title: Disable Administrative Share Creation at Startup +id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e +description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system +author: frack113 +date: 2022/01/16 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + TargetObject|startswith: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ + TargetObject|endswith: + - AutoShareWks + - AutoShareServer + Details: DWORD (0x00000000) + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1070.005 diff --git a/rules/windows/registry_event/win_re_hidden_extention.yml b/rules/windows/registry_event/win_re_hidden_extention.yml new file mode 100644 index 000000000..f24c17591 --- /dev/null +++ b/rules/windows/registry_event/win_re_hidden_extention.yml @@ -0,0 +1,29 @@ +title: Registry Modification to Hidden File Extension +id: 5df86130-4e95-4a54-90f7-26541b40aec2 +description: Hides the file extension through modification of the registry +author: frack113 +date: 2022/01/22 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd + - https://unit42.paloaltonetworks.com/ransomware-families/ + - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A +logsource: + category: registry_event + product: windows +detection: + selection_HideFileExt: + EventType: SetValue + TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt + Details: DWORD (0x00000001) + selection_Hidden: + EventType: SetValue + TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden + Details: DWORD (0x00000002) + condition: 1 of selection_* +falsepositives: + - Administrative scripts +level: medium +tags: + - attack.persistence + - attack.t1137 diff --git a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml index 8c30a7931..cb73fa4c4 100644 --- a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml +++ b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml @@ -3,7 +3,7 @@ id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 -modified: 2021/11/19 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -20,11 +20,13 @@ logsource: product: windows detection: selection1: + EventType: SetValue TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: + EventType: SetValue TargetObject|endswith: - 'Classes\ms-settings\shell\open\command\(Default)' - 'Classes\exefile\shell\open\command\(Default)' diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml new file mode 100644 index 000000000..698bd1fb3 --- /dev/null +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -0,0 +1,24 @@ +title: Sysmon Configuration Change +id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 +description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration +status: experimental +author: frack113 +date: 2022/01/12 +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 16 + # To avoid FP just add + # filter: + # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' + # condition: selection and not filter + condition: selection +falsepositives: + - legitimate administrative action +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index d6d596476..c47194cf2 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -19,6 +19,5 @@ falsepositives: - exclude legitimate (vetted) use of WMI event subscription in your network level: high tags: - - attack.t1084 # an old one - attack.persistence - attack.t1546.003 diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index e4b7fbf1d..cd3dcfc43 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -9,10 +9,6 @@ references: - https://github.com/RiccardoAncarani/LiquidSnake date: 2019/04/15 modified: 2021/09/01 -tags: - - attack.t1086 # an old one - - attack.execution - - attack.t1059.005 logsource: product: windows category: wmi_event @@ -43,3 +39,6 @@ fields: falsepositives: - Administrative scripts level: high +tags: + - attack.execution + - attack.t1059.005 \ No newline at end of file diff --git a/tests/test_rules.py b/tests/test_rules.py index be340f84d..0133f0b53 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -375,6 +375,23 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") + def test_missing_description(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + descriptionfield = self.get_rule_part(file_path=file, part_name="description") + if not descriptionfield: + print(Fore.YELLOW + "Rule {} has no field 'description'.".format(file)) + faulty_rules.append(file) + elif not isinstance(descriptionfield, str): + print(Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) + faulty_rules.append(file) + elif len(descriptionfield) < 16: + print(Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with missing or malformed 'description' field. (create one, e.g. description: Detects the suspicious behaviour of process XY doing YZ)") + def test_optional_date_modified(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -739,7 +756,10 @@ def get_mitre_data(): for r in g.external_references: if 'external_id' in r: MITRE_GROUPS.append(r['external_id'].lower()) - + + # Debugging + print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) + # Combine all IDs to a big tag list return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS] diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 9c532f66d..2543aac16 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: EventLog: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 80af860a9..7e30b7d13 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: log_name: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 97dfe3ec8..16ae8e6a3 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: log_name: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 1467124cc..2a04e96ec 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows index: windows diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml new file mode 100644 index 000000000..910d58f04 --- /dev/null +++ b/tools/config/generic/windows-services.yml @@ -0,0 +1,148 @@ +title: Conversion of Generic Windows Service to Channel and EventID +order: 15 +logsources: + ps_module: + category: ps_module + product: windows + conditions: + EventID: 4103 + rewrite: + product: windows + service: powershell + ps_script: + category: ps_script + product: windows + conditions: + EventID: 4104 + rewrite: + product: windows + service: powershell + # for the "classic" channel + ps_classic_start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic + ps_classic_provider_start: + category: ps_classic_provider_start + product: windows + conditions: + EventID: 600 + rewrite: + product: windows + service: powershell-classic + ps_classic_script: + category: ps_classic_script + product: windows + conditions: + EventID: 800 + rewrite: + product: windows + service: powershell-classic + windows-application: + product: windows + service: application + conditions: + Channel: Application + windows-security: + product: windows + service: security + conditions: + Channel: Security + windows-system: + product: windows + service: system + conditions: + Channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + Channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + Channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + Channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + Channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + Channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + Channel: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + Channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + Channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + Channel: 'Microsoft-Windows-PrintService/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + Channel: 'Microsoft-Windows-SmbClient/Security' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + Channel: 'MSExchange Management' + windows-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + Channel: 'Microsoft-ServiceBus-Client' + windows-ladp-client-debug: + product: windows + service: ldap_debug + conditions: + Channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-taskscheduler-operational: + product: windows + service: taskscheduler + conditions: + Channel: 'Microsoft-Windows-TaskScheduler/Operational' + windows-wmi-activity-Operational: + product: windows + service: wmi + conditions: + Channel: 'Microsoft-Windows-WMI-Activity/Operational' \ No newline at end of file diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index b6ab8f5bd..22b09f61d 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -356,6 +356,11 @@ logsources: service: printservice-operational conditions: product_name: 'PrintService' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + product_name: 'CodeIntegrity' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index b821d23b8..7e7efbb02 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: event_source: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + event_source: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index f3387e076..555b3335d 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -78,6 +78,11 @@ logsources: service: printservice-operational conditions: Channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 11db7be04..26ad47609 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -46,7 +46,6 @@ logsources: windows-dns-server: product: windows service: dns-server - category: dns conditions: LogName: 'DNS Server' windows-dns-server-audit: @@ -98,6 +97,11 @@ logsources: service: printservice-operational conditions: LogName: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + LogName: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 06b0c7306..bfe59df24 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -107,10 +107,20 @@ logsources: service: printservice-operational conditions: source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + source: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security conditions: source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' + windows-rpc-firewall: + product: rpc_firewall + category: application + conditions: + source: 'WinEventLog:RPCFW' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 7dea87df9..9998e8cdc 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: EventChannel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/thor.yml b/tools/config/thor.yml index cbed042d5..6b01a4ec8 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -315,6 +315,11 @@ logsources: service: printservice-operational sources: - "WinEventLog:Microsoft-Windows-PrintService/Operational" + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + sources: + - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" windows-applocker: product: windows service: applocker diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 07c3c4e09..41517c93f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 5e913928d..006585294 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -80,6 +80,11 @@ logsources: service: printservice-operational conditions: winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index af73a56fb..26b41b8ab 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -68,6 +68,11 @@ logsources: service: printservice-operational conditions: Channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/setup.py b/tools/setup.py index 239d18be7..745d8b58b 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -45,7 +45,7 @@ setup( python_requires='~=3.8', install_requires=['PyYAML', 'pymisp', 'progressbar2', 'ruamel.yaml'], extras_require={ - 'test': ['coverage', 'yamllint'], + 'test': ['coverage', 'yamllint', 'attackcti'], }, data_files=[ ('etc/sigma', [ str(p) for p in Path('config/').glob('*.yml') ]),