From 24dfdbd715dc49082942ea7ea8eb531e4a627534 Mon Sep 17 00:00:00 2001 From: sagiezero <61778471+sagiezero@users.noreply.github.com> Date: Mon, 10 Jan 2022 18:04:43 +0200 Subject: [PATCH 01/90] feat(rules): adding rpc_firewall rules --- .../rpc_firewall_ATSvc_lateral_movement.yml | 35 ++++++++++++++++ .../rpc_firewall/rpc_firewall_ATSvc_recon.yml | 33 +++++++++++++++ .../rpc_firewall_DCSync_attack.yml | 33 +++++++++++++++ ...ITaskSchedulerService_lateral_movement.yml | 42 +++++++++++++++++++ ...c_firewall_ITaskSchedulerService_recon.yml | 39 +++++++++++++++++ .../rpc_firewall_SASec_lateral_movement.yml | 35 ++++++++++++++++ .../rpc_firewall/rpc_firewall_SASec_recon.yml | 32 ++++++++++++++ .../rpc_firewall/rpc_firewall_efs_abuse.yml | 31 ++++++++++++++ .../rpc_firewall_eventLog_recon.yml | 30 +++++++++++++ ...rpc_firewall_printing_lateral_movement.yml | 35 ++++++++++++++++ .../rpc_firewall_remote_DCOM_or_WMI.yml | 39 +++++++++++++++++ ...ewall_remote_registry_lateral_movement.yml | 42 +++++++++++++++++++ .../rpc_firewall_remote_registry_recon.yml | 40 ++++++++++++++++++ ...c_firewall_remote_server_service_abuse.yml | 30 +++++++++++++ ...rewall_remote_service_lateral_movement.yml | 32 ++++++++++++++ .../rpc_firewall_sharphound_recon_account.yml | 29 +++++++++++++ ...rpc_firewall_sharphound_recon_sessions.yml | 29 +++++++++++++ 17 files changed, 586 insertions(+) create mode 100644 rules/windows/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_ATSvc_recon.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_DCSync_attack.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_SASec_recon.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_efs_abuse.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_eventLog_recon.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_printing_lateral_movement.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_remote_registry_recon.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_account.yml create mode 100644 rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml diff --git a/rules/windows/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml b/rules/windows/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml new file mode 100644 index 000000000..d57005f0f --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml @@ -0,0 +1,35 @@ +title: Remote Schedule Task Lateral Movement via ATSvc +id: 1ff70682-0a51-30e8-076d-740be8cee98b +description: Detects remote RPC calls to create or execute a scheduled task via ATSvc +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +tags: + - attack.lateral_movement + - attack.ta0008 + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b + OpNum: + - 0 + - 1 + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_ATSvc_recon.yml b/rules/windows/rpc_firewall/rpc_firewall_ATSvc_recon.yml new file mode 100644 index 000000000..72aa69038 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_ATSvc_recon.yml @@ -0,0 +1,33 @@ +title: Remote Schedule Task Recon via AtScv +id: 1ff70682-0a51-30e8-076d-740be8cee98b +description: Detects remote RPC calls to read information about scheduled tasks via AtScv +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/zeronetworks/rpcfirewall +tags: + - attack.ta0007 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b + filter: + OpNum: + - 0 + - 1 + condition: selection and not filter +falsepositives: + - unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_DCSync_attack.yml b/rules/windows/rpc_firewall/rpc_firewall_DCSync_attack.yml new file mode 100644 index 000000000..324b08d62 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_DCSync_attack.yml @@ -0,0 +1,33 @@ +title: Possible DCSync Attack +id: e3514235-4b06-11d1-ab04-00c04fc2dcd2 +description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. +references: + - https://attack.mitre.org/techniques/T1033/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +tags: + - attack.t1033 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2 + filter: + OpNum: + - 0 + - 1 + - 12 + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml b/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml new file mode 100644 index 000000000..ab463fe78 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml @@ -0,0 +1,42 @@ +title: Remote Schedule Task Lateral Movement via ITaskSchedulerService +id: 86d35949-83c9-4044-b424-db363231fd0c +description: Detects remote RPC calls to create or execute a scheduled task +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +tags: + - attack.lateral_movement + - attack.ta0008 + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c + OpNum: + - 1 + - 3 + - 4 + - 10 + - 11 + - 12 + - 13 + - 14 + - 15 + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml b/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml new file mode 100644 index 000000000..da09ba148 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml @@ -0,0 +1,39 @@ +title: Remote Schedule Task Recon via ITaskSchedulerService +id: 86d35949-83c9-4044-b424-db363231fd0c +description: Detects remote RPC calls to read information about scheduled tasks +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +tags: + - attack.ta0007 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c + filter: + OpNum: + - 1 + - 3 + - 4 + - 10 + - 11 + - 12 + - 13 + - 14 + - 15 + condition: selection and not filter +falsepositives: + - unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml b/rules/windows/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml new file mode 100644 index 000000000..e138fddc1 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml @@ -0,0 +1,35 @@ +title: Remote Schedule Task Lateral Movement via SASec +id: 378e52b0-c0a9-11cf-822d-00aa0051e40f +description: Detects remote RPC calls to create or execute a scheduled task via SASec +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +tags: + - attack.lateral_movement + - attack.ta0008 + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f + OpNum: + - 0 + - 1 + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_SASec_recon.yml b/rules/windows/rpc_firewall/rpc_firewall_SASec_recon.yml new file mode 100644 index 000000000..fb28f34b9 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_SASec_recon.yml @@ -0,0 +1,32 @@ +title: Remote Schedule Task Lateral Movement via SASec +id: 378e52b0-c0a9-11cf-822d-00aa0051e40f +description: Detects remote RPC calls to read information about scheduled tasks via SASec +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +tags: + - attack.ta0007 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f + filter: + OpNum: + - 0 + - 1 + condition: selection and not filter +falsepositives: + - unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/windows/rpc_firewall/rpc_firewall_efs_abuse.yml new file mode 100644 index 000000000..fc0e768b4 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -0,0 +1,31 @@ +title: Remote Encrypting File System Abuse +id: df1941c5-fe89-4e79-bf10-463657acf44d +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 +tags: + - attack.lateral_movement + - attack.ta0008 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - df1941c5-fe89-4e79-bf10-463657acf44d + - c681d488-d850-11d0-8c52-00c04fd90f7e + condition: selection +falsepositives: + - Legitimate usage of remote file encryption +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_eventLog_recon.yml b/rules/windows/rpc_firewall/rpc_firewall_eventLog_recon.yml new file mode 100644 index 000000000..b9d1a0643 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_eventLog_recon.yml @@ -0,0 +1,30 @@ +title: Remote Event Log Recon +id: 82273fdc-e32a-18c3-3f78-827929dc23ea +description: Detects remote RPC calls to get event log information via EVEN or EVEN6 +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://github.com/zeronetworks/rpcfirewall +tags: + - attack.ta0007 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 82273fdc-e32a-18c3-3f78-827929dc23ea + - f6beaff7-1e19-4fbb-9f8f-b89e2018337c + condition: selection +falsepositives: + - remote administrative tasks on Windows Events +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/windows/rpc_firewall/rpc_firewall_printing_lateral_movement.yml new file mode 100644 index 000000000..dc8b209ef --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -0,0 +1,35 @@ +title: Remote Printing Abuse for Lateral Movement +id: 12345678-1234-abcd-ef00-0123456789ab +description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +tags: + - attack.lateral_movement + - attack.ta0008 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 12345678-1234-abcd-ef00-0123456789ab + - 76f03f96-cdfd-44fc-a22c-64950a001209 + - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 + - ae33069b-a2a8-46ee-a235-ddfd339be281 + condition: selection +falsepositives: + - actual printing +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml b/rules/windows/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml new file mode 100644 index 000000000..5dd592e2b --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml @@ -0,0 +1,39 @@ +title: Remote DCOM/WMI Lateral Movement +id: 000001A0-0000-0000-C000-000000000046 +description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://attack.mitre.org/techniques/T1021/003/ + - https://attack.mitre.org/techniques/T1047/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +tags: + - attack.lateral_movement + - attack.ta0008 + - attack.t1021.003 + - attack.t1047 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 + - 99fcfec4-5260-101b-bbcb-00aa0021347a + - 000001a0-0000-0000-c000-000000000046 + - 00000131-0000-0000-c000-000000000046 + - 00000143-0000-0000-c000-000000000046 + - 00000000-0000-0000-c000-000000000046 + condition: selection +falsepositives: + - Some administrative tasks on remote host +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/windows/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml new file mode 100644 index 000000000..6312ed6ca --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -0,0 +1,42 @@ +title: Remote Registry Lateral Movement +id: 338cd001-2244-31f1-aaaa-900038001003 +description: Detects remote RPC calls to modify the registry and possible execute code +references: + - https://attack.mitre.org/techniques/T1112/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +tags: + - attack.lateral_movement + - attack.ta0008 + - attack.t1112 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 + OpNum: + - 6 + - 7 + - 8 + - 13 + - 18 + - 19 + - 21 + - 22 + - 23 + - 35 + condition: selection +falsepositives: + - Remote administration of registry values +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/windows/rpc_firewall/rpc_firewall_remote_registry_recon.yml new file mode 100644 index 000000000..c7abe6e4a --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -0,0 +1,40 @@ +title: Remote Registry Recon +id: 338cd001-2244-31f1-aaaa-900038001003 +description: Detects remote RPC calls to collect information +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +tags: + - attack.ta0007 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 + filter: + OpNum: + - 6 + - 7 + - 8 + - 13 + - 18 + - 19 + - 21 + - 22 + - 23 + - 35 + condition: selection and not filter +falsepositives: + - Remote administration of registry values +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/windows/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml new file mode 100644 index 000000000..9e89d7526 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -0,0 +1,30 @@ +title: Remote Server Service Abuse +id: 4b324fc8-1670-01d3-1278-5a47bf6ee188 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +tags: + - attack.lateral_movement + - attack.ta0008 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 4b324fc8-1670-01d3-1278-5a47bf6ee188 + condition: selection +falsepositives: + - Legitimate remote share creation +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/windows/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml new file mode 100644 index 000000000..3588cccbd --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -0,0 +1,32 @@ +title: Remote Server Service Abuse for Lateral Movement +id: 367abb81-9844-35f1-ad32-98f038001003 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://attack.mitre.org/techniques/T1569/002/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +tags: + - attack.lateral_movement + - attack.ta0008 + - attack.t1569.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 367abb81-9844-35f1-ad32-98f038001003 + condition: selection +falsepositives: + - Administrative tasks on remote services +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_account.yml new file mode 100644 index 000000000..a1bb3e059 --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -0,0 +1,29 @@ +title: SharpHound Recon Account Discovery +id: 6bffd098-a112-3610-9833-46c3f87e345a +description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. +references: + - https://attack.mitre.org/techniques/T1087/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +tags: + - attack.t1087 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a + OpNum: 2 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml new file mode 100644 index 000000000..db8950aac --- /dev/null +++ b/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -0,0 +1,29 @@ +title: SharpHound Recon Sessions +id: 4b324fc8-1670-01d3-1278-5a47bf6ee188 +description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. +references: + - https://attack.mitre.org/techniques/T1033/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +tags: + - attack.t1033 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: windows + service: rpc_firewall + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12' + references: + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +detection: + selection: + - EventLog: RPCFW + EventID: 3 + InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 + OpNum: 12 + condition: selection +falsepositives: + - Unknown +level: high From 09aaec8ed2cf1ea9e94d9ad9f7a612944e019342 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Jan 2022 11:32:12 +0100 Subject: [PATCH 02/90] rules: ntds.dit write, minimized msedge --- .../file_event/file_event_susp_ntds_dit.yml | 26 +++++++++++++++++++ ...ess_creation_msedge_minimized_download.yml | 23 ++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 rules/windows/file_event/file_event_susp_ntds_dit.yml create mode 100644 rules/windows/process_creation/process_creation_msedge_minimized_download.yml diff --git a/rules/windows/file_event/file_event_susp_ntds_dit.yml b/rules/windows/file_event/file_event_susp_ntds_dit.yml new file mode 100644 index 000000000..3e2d41cf3 --- /dev/null +++ b/rules/windows/file_event/file_event_susp_ntds_dit.yml @@ -0,0 +1,26 @@ +title: Suspicious Process Writes Ntds.dit +id: 11b1ed55-154d-4e82-8ad7-83739298f720 +status: experimental +description: Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file +references: + - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ + - https://adsecurity.org/?p=2398 +author: Florian Roth +date: 2022/01/11 +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.003 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '\ntds.dit' + Image|endswith: + - '\powershell.exe' + - '\cmd.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/process_creation_msedge_minimized_download.yml b/rules/windows/process_creation/process_creation_msedge_minimized_download.yml new file mode 100644 index 000000000..0a1e53dea --- /dev/null +++ b/rules/windows/process_creation/process_creation_msedge_minimized_download.yml @@ -0,0 +1,23 @@ +title: Suspicious Minimized MSEdge Start +id: 94771a71-ba41-4b6e-a757-b531372eaab6 +description: Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet +author: Florian Roth +date: 2022/01/11 +references: + - https://twitter.com/mrd0x/status/1478234484881436672?s=12 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'start /min msedge' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine) +level: high From f77da595c4dbf016ce199f36d78611eb2294a27e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Jan 2022 11:32:34 +0100 Subject: [PATCH 03/90] fix: FPs noticed with Aurora --- rules/windows/image_load/sysmon_wmi_module_load.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 9b2f87abb..971fdb340 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/11/25 +modified: 2022/01/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html @@ -48,6 +48,8 @@ detection: - '\explorer.exe' - '\opera_autoupdate.exe' - '\MsMpEng.exe' + - '\thor64.exe' + - '\thor.exe' filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to Image|startswith: - 'C:\Program Files\' From b6d4e39538d2cd62729062e2e6b978f6de87bdd1 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 12 Jan 2022 12:55:49 +0100 Subject: [PATCH 04/90] feat: check for the existence of a description field it is not mandatory in the sigma standard but mandatory for this repository --- .../file_event/file_event_susp_task_write.yml | 7 ++++--- .../powershell_azurehound_commands.yml | 5 +++-- .../win_purplesharp_indicators.yml | 7 +++---- tests/test_rules.py | 17 +++++++++++++++++ 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml index 1204a2901..c2cee9c49 100644 --- a/rules/windows/file_event/file_event_susp_task_write.yml +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -1,11 +1,12 @@ -title: Suspicious Scheduled Task Writ to System32 Tasks +title: Suspicious Scheduled Task Write to System32 Tasks id: 80e1f67a-4596-4351-98f5-a9c3efabac95 status: experimental -description: +description: Detects the creation of tasks from processes executed from suspicious locations references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ + - Internal Research author: Florian Roth date: 2021/11/16 +modified: 2022/01/12 tags: - attack.persistence - attack.execution diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml index ba1adbeb0..6adae36db 100644 --- a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml @@ -1,16 +1,17 @@ title: AzureHound PowerShell Commands id: 83083ac6-1816-4e76-97d7-59af9a9ae46e status: experimental -description: +description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound references: - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Austin Songer (@austinsonger) date: 2021/10/23 +modified: 2022/01/12 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: ScriptBlockText|contains: Invoke-AzureHound diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml index 1d0969a5f..987211efa 100644 --- a/rules/windows/process_creation/win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -1,10 +1,10 @@ title: PurpleSharp Indicator id: ff23ffbc-3378-435e-992f-0624dcf93ab4 status: experimental -description: Detect +description: Detects the execution of the PurpleSharp adversary simulation tool author: Florian Roth date: 2021/06/18 -modified: 2021/07/06 +modified: 2022/01/12 references: - https://github.com/mvelazc0/PurpleSharp logsource: @@ -16,8 +16,7 @@ detection: - xyz123456.exe - PurpleSharp selection2: - OriginalFileName: - - 'PurpleSharp.exe' + OriginalFileName: 'PurpleSharp.exe' condition: selection1 or selection2 falsepositives: - Unlikely diff --git a/tests/test_rules.py b/tests/test_rules.py index be340f84d..b83726cee 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -375,6 +375,23 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") + def test_missing_description(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + descriptionfield = self.get_rule_part(file_path=file, part_name="description") + if not descriptionfield: + print(Fore.YELLOW + "Rule {} has no field 'description'.".format(file)) + faulty_rules.append(file) + elif not isinstance(descriptionfield, str): + print(Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) + faulty_rules.append(file) + elif len(descriptionfield) < 16: + print(Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with missing or malformed 'description' field. (create one, e.g. description: Detects the suspicious behaviour of process XY doing YZ)") + def test_optional_date_modified(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 460ed232491a861cc903b7ac88924a6532d5af8a Mon Sep 17 00:00:00 2001 From: nwh2 <81748765+nwh2@users.noreply.github.com> Date: Wed, 12 Jan 2022 14:44:55 +0100 Subject: [PATCH 05/90] Fix incorrectly formatted Winget LOLbin date --- .../process_creation/win_lolbin_execution_via_winget.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml index 6821201cf..7911e9cc3 100644 --- a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml @@ -5,7 +5,7 @@ status: experimental references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install author: Sreeman, Florian Roth, Frack113 -date: 2020/21/04 +date: 2020/04/21 modified: 2022/01/11 tags: - attack.defense_evasion @@ -27,4 +27,4 @@ falsepositives: - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users. fields: - CommandLine -level: medium \ No newline at end of file +level: medium From 22338b762aa6a5e678eefd883cc1f79ac1efdac2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Jan 2022 16:35:24 +0100 Subject: [PATCH 06/90] fix: FPs with Java shell spawn rule --- .../process_creation_shell_spawn_by_java.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml index 9adb6d3c1..13073ec7d 100644 --- a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml +++ b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml @@ -4,7 +4,7 @@ description: Detects shell spawn from Java host process, which could a maintenan status: experimental author: Andreas Hunkeler (@Karneades) date: 2021/12/17 -modified: 2021/12/18 +modified: 2022/01/12 tags: - attack.initial_access - attack.persistence @@ -17,7 +17,10 @@ detection: ParentImage|endswith: '\java.exe' Image|endswith: - '\cmd.exe' - condition: selection + filter: + ParentImage|contains: 'build' # excluding CI build agents + CommandLine|contains: 'build' # excluding CI build agents + condition: selection and not filter falsepositives: - Legitimate calls to system binaries - Company specific internal usage From 592485fac54d3539ee8b99677fd0facb67cbecd0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 12 Jan 2022 20:27:56 +0100 Subject: [PATCH 07/90] Windows Redcannary --- .../posh_ps_create_volume_shadow_copy.yml | 26 +++++++++++++++++++ .../posh_ps_suspicious_gwmi.yml | 25 ++++++++++++++++++ .../win_pc_uninstall_sysmon.yml | 24 +++++++++++++++++ .../sysmon/sysmon_config_modification.yml | 20 ++++++++++++++ 4 files changed, 95 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml create mode 100644 rules/windows/process_creation/win_pc_uninstall_sysmon.yml create mode 100644 rules/windows/sysmon/sysmon_config_modification.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml new file mode 100644 index 000000000..6c098c110 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -0,0 +1,26 @@ +title: Create Volume Shadow Copy with Powershell +id: afd12fed-b0ec-45c9-a13d-aa86625dac81 +status: experimental +description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - win32_shadowcopy + - ').Create(' + - ClientAccessible + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: high +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml new file mode 100644 index 000000000..de0c276a4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml @@ -0,0 +1,25 @@ +title: Suspicious Get-WmiObject +id: 0332a266-b584-47b4-933d-a00b103e1b37 +status: experimental +description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - Get-WmiObject + - gwmi + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.persistence + - attack.t1546 diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml new file mode 100644 index 000000000..11a90070f --- /dev/null +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -0,0 +1,24 @@ +title: Uninstall Sysinternals Sysmon +id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 +status: experimental +description: Uninstall Sysinternals Sysmon for Defense Evasion +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon +author: frack113 +date: 2022/01/12 +logsource: + category: process_creation + product: windows +detection: + sysmon: + Image|endswith: + - \Sysmon64.exe + - \Sysmon.exe + CommandLine|contains: '-u' + condition: sysmon +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml new file mode 100644 index 000000000..87b371606 --- /dev/null +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -0,0 +1,20 @@ +title: Sysmon Configuration Change +id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 +description: Someone can try to hide from Sysmon +status: experimental +author: frack113 +date: 2022/01/12 +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 16 + condition: selection +falsepositives: + - legitimate administrative action +level: medium +tags: + - attack.defense_evasion From 41f0ccbca57d663a03823e10e8cb853b648d45c4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Jan 2022 22:28:21 +0100 Subject: [PATCH 08/90] fix: filter in rule --- .../process_creation/win_susp_squirrel_lolbin.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index c8b351ed9..ea3b72cae 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2021/12/07 +modified: 2022/01/12 logsource: category: process_creation product: windows @@ -24,10 +24,11 @@ detection: - '--createShortcut' CommandLine|contains|all: - '.exe' - filter: + filter1: CommandLine|contains|all: - - 'C:\\Users\\' - - '\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe' + - 'C:\Users\' + - '\AppData\Local\Discord\Update.exe' + - ' --processStart Discord.exe' condition: selection and not 1 of filter* falsepositives: - 1Clipboard From baaef207cb0378f6d915197e7e819a16226d6ced Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 13 Jan 2022 06:38:43 +0100 Subject: [PATCH 09/90] Add filter help --- rules/windows/sysmon/sysmon_config_modification.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 87b371606..dc24421ae 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -12,6 +12,10 @@ logsource: detection: selection: EventID: 16 + # To avoid FP just add + # filter: + # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' + # condition: selection and not filter condition: selection falsepositives: - legitimate administrative action From 56097703f1b49fa9166f1f02d21e875d1c4bcb99 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 09:17:42 +0100 Subject: [PATCH 10/90] fix: FP detected with Aurora --- rules/windows/process_access/win_susp_proc_access_lsass.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index e7724a1fa..11bc6e347 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags author: Florian Roth date: 2021/11/22 -modified: 2022/01/08 +modified: 2022/01/13 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -62,6 +62,7 @@ detection: - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\System32\lsass.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' From 7f357c963b76fccca83782d1206acf42b562eb72 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 13:09:08 +0100 Subject: [PATCH 11/90] refactor: slightly improved rule --- .../process_creation/win_susp_regsvr32_http_pattern.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml b/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml index 0c347cf21..f7690358b 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_http_pattern.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN references: - https://twitter.com/mrd0x/status/1461041276514623491c19-ps + - https://twitter.com/tccontre18/status/1480950986650832903 tags: - attack.defense_evasion - attack.t1218.010 @@ -15,8 +16,8 @@ logsource: detection: selection_flags: CommandLine|contains|all: - - ' /s ' - - ' /u ' + - ' /s' + - ' /u' selection_ip: CommandLine|contains: - ' /i:http://1' From 943a89c265074d66fab1d55305c12ca960117d2f Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 13 Jan 2022 16:28:29 +0100 Subject: [PATCH 12/90] Add setvalue for Details --- ...sing_windows_telemetry_for_persistence.yml | 3 ++- .../registry_event_defender_disabled.yml | 3 ++- .../registry_event_mal_adwind.yml | 3 ++- .../registry_event_uac_bypass_winsat.yml | 2 ++ .../registry_event_uac_bypass_wmp.yml | 2 ++ ...mon_asep_reg_keys_modification_classes.yml | 3 ++- ...smon_asep_reg_keys_modification_commun.yml | 3 ++- ...eg_keys_modification_currentcontrolset.yml | 3 ++- ...p_reg_keys_modification_currentversion.yml | 3 ++- ...eg_keys_modification_currentversion_nt.yml | 3 ++- ...eg_keys_modification_internet_explorer.yml | 3 ++- ...smon_asep_reg_keys_modification_office.yml | 3 ++- ..._reg_keys_modification_session_manager.yml | 3 ++- ...p_reg_keys_modification_system_scripts.yml | 3 ++- ...on_asep_reg_keys_modification_winsock2.yml | 3 ++- ...asep_reg_keys_modification_wow6432node.yml | 3 ++- ..._keys_modification_wow6432node_classes.yml | 3 ++- ...odification_wow6432node_currentversion.yml | 3 ++- .../registry_event/sysmon_cve_2020_1048.yml | 3 ++- .../sysmon_dns_over_https_enabled.yml | 19 +++++++++++-------- .../registry_event/sysmon_etw_disabled.yml | 3 ++- ...n_hybridconnectionmgr_svc_installation.yml | 2 ++ .../sysmon_powershell_as_service.yml | 3 ++- .../sysmon_rdp_registry_modification.yml | 3 ++- .../sysmon_reg_silentprocessexit.yml | 4 +++- .../sysmon_reg_vbs_payload_stored.yml | 2 ++ ...smon_registry_persistence_search_order.yml | 3 ++- .../sysmon_registry_susp_printer_driver.yml | 3 ++- .../sysmon_susp_reg_persist_explorer_run.yml | 3 ++- .../sysmon_susp_run_key_img_folder.yml | 3 ++- .../sysmon_susp_service_installed.yml | 3 ++- ...sysmon_suspicious_keyboard_layout_load.yml | 3 ++- .../sysmon_uac_bypass_sdclt.yml | 3 ++- .../sysmon_wab_dllpath_reg_change.yml | 3 ++- .../sysmon_win_reg_telemetry_persistence.yml | 3 ++- .../win_outlook_c2_registry_key.yml | 3 ++- .../win_outlook_registry_todaypage.yml | 2 ++ ..._registry_shell_open_keys_manipulation.yml | 4 +++- 38 files changed, 87 insertions(+), 40 deletions(-) diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index ecf8aba9b..bfdd0738b 100644 --- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -11,7 +11,7 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/09/24 +modified: 2022/01/13 fields: - EventID - CommandLine @@ -22,6 +22,7 @@ logsource: category: registry_event detection: selection: + EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' Details|endswith: - .sh diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index 0d3faa4e0..5c95188e2 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/10/18 +modified: 2022/01/13 author: Ján Trenčanský, frack113, AlertIQ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -27,6 +27,7 @@ detection: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus' Details: 'DWORD (0x00000001)' selection2: + EventType: SetValue TargetObject: - 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend' - 'HKLM\SOFTWARE\Microsoft\Windows Defender' diff --git a/rules/windows/registry_event/registry_event_mal_adwind.yml b/rules/windows/registry_event/registry_event_mal_adwind.yml index 3bdba761b..1cc8bfc66 100644 --- a/rules/windows/registry_event/registry_event_mal_adwind.yml +++ b/rules/windows/registry_event/registry_event_mal_adwind.yml @@ -10,7 +10,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2021/09/19 +modified: 2022/01/13 tags: - attack.execution - attack.t1059.005 @@ -21,6 +21,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection diff --git a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml index 43efa10c9..5280038f2 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml @@ -3,6 +3,7 @@ id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) author: Christian Burkard date: 2021/08/30 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|' TargetObject|endswith: '\LowerCaseLongPath' Details|startswith: 'c:\users\' diff --git a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml index 22f04a705..ea145d3c0 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml @@ -3,6 +3,7 @@ id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) author: Christian Burkard date: 2021/08/23 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' Details: 'Binary Data' condition: selection diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml index 2cb80ab88..44b01ed98 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: classes_base: + EventType: SetValue TargetObject|contains: '\Software\Classes' classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml index e9d0e9331..f797c50fe 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: main_selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml index 1b1bd16f6..8e3ffd89c 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: system_control_base: + EventType: SetValue TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' system_control: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 9c4e8b390..46bffafb9 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml index b6bdedcbc..095e0837e 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' nt_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml index 13a3112d1..b78b65a14 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: ie: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Internet Explorer' - '\Software\Microsoft\Internet Explorer' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml index 46a4479e5..235706a41 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: office: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Office' - '\Software\Microsoft\Office' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml index 08830dc05..7ccafcdcc 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: session_manager_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager' session_manager: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml index 0b721eb8b..41cbd4739 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: scripts_base: + EventType: SetValue TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts' scripts: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml index b283e6a61..318b9db59 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/01/08 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: winsock_parameters_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml index e7d956008..6a49c0f88 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/19 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' wow_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml index c91ab45d0..41cc28651 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_classes_base: + EventType: SetValue TargetObject|contains: '\Software\Wow6432Node\Classes' wow_classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml index 2f07e05a1..a0b9eba10 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' wow_nt_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_cve_2020_1048.yml b/rules/windows/registry_event/sysmon_cve_2020_1048.yml index f87f36d85..c5e24e178 100644 --- a/rules/windows/registry_event/sysmon_cve_2020_1048.yml +++ b/rules/windows/registry_event/sysmon_cve_2020_1048.yml @@ -6,12 +6,13 @@ author: EagleEye Team, Florian Roth, NVISO references: - https://windows-internals.com/printdemon-cve-2020-1048/ date: 2020/05/13 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' Details|contains: - '.dll' diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index c5138d2bf..55b34be14 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -1,33 +1,36 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 -date: 2021/07/22 -modified: 2021/09/08 +status: experimental description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. author: Austin Songer -status: experimental references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1112 +date: 2021/07/22 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection_edge: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection_chrome: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection_firefox: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' Details: 'DWORD (1)' - condition: selection_edge or selection_chrome or selection_firefox + condition: 1 of selection_* falsepositives: - Unlikely level: medium +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_etw_disabled.yml b/rules/windows/registry_event/sysmon_etw_disabled.yml index 0694d6440..5253af2c4 100644 --- a/rules/windows/registry_event/sysmon_etw_disabled.yml +++ b/rules/windows/registry_event/sysmon_etw_disabled.yml @@ -14,12 +14,13 @@ references: - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code date: 2020/06/05 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml index f9e53a3dc..3dbb8e686 100644 --- a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -3,6 +3,7 @@ id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. status: experimental date: 2021/04/12 +modified: 2022/01/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.resource_development @@ -16,6 +17,7 @@ detection: selection1: TargetObject|contains: '\Services\HybridConnectionManager' selection2: + EventType: SetValue Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe' condition: selection1 or selection2 falsepositives: diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml index a297c6680..2da308f2c 100644 --- a/rules/windows/registry_event/sysmon_powershell_as_service.yml +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -4,7 +4,7 @@ description: Detects that a powershell code is written to the registry as a serv status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/05/21 +modified: 2022/01/13 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -15,6 +15,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Services\' TargetObject|endswith: '\ImagePath' Details|contains: diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 65ffce511..b95d8e580 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -6,12 +6,13 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html date: 2019/09/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index 190f33f2c..08f1c07fb 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -7,6 +7,7 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ date: 2021/02/26 +modified: 2022/01/13 tags: - attack.persistence - attack.t1546.012 @@ -14,7 +15,8 @@ logsource: category: registry_event product: windows detection: - selection: + selection: + EventType: SetValue TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' condition: selection diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml index 058178fcf..abdb2b3c4 100644 --- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -3,6 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 +modified: 2022/01/13 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -11,6 +12,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' Details|contains: - 'vbscript' diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 7b830997d..0dcdc843b 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/01/08 +modified: 2022/01/13 tags: - attack.persistence - attack.t1546.015 @@ -16,6 +16,7 @@ logsource: product: windows detection: selection: # Detect new COM servers in the user hive + EventType: SetValue TargetObject|startswith: - 'HKCR\CLSID\' - 'HKCU\Software\Classes\CLSID\' diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 42cbead5a..90ee32fba 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -6,12 +6,13 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 598a7756b..11e4cb99d 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -6,12 +6,13 @@ author: Florian Roth, oscd.community references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ date: 2018/07/18 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' selection2: - Details|startswith: diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 1bbe17aec..6e6f8b0c8 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -10,12 +10,13 @@ tags: - attack.t1060 # an old one - attack.t1547.001 date: 2018/08/25 -modified: 2021/10/30 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 4fa03b7ea..9ede1214d 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -6,12 +6,13 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ date: 2019/04/08 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_1: + EventType: SetValue TargetObject: - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index c6a0fd1fb..c02cf18c9 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -7,13 +7,14 @@ references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files date: 2019/10/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: + EventType: SetValue TargetObject|contains: - '\Keyboard Layout\Preload\' - '\Keyboard Layout\Substitutes\' diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 01c566580..378e7f623 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -7,7 +7,7 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2021/09/17 +modified: 2022/01/13 logsource: category: registry_event product: windows @@ -15,6 +15,7 @@ detection: selection1: TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: + EventType: SetValue TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml index 351020fc0..195ddd91b 100644 --- a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -10,13 +10,14 @@ tags: - attack.defense_evasion - attack.t1218 date: 2020/10/13 -modified: 2021/05/21 +modified: 2022/01/13 author: oscd.community, Natalia Shornikova logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath' filter: Details: '%CommonProgramFiles%\System\wab32.dll' diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 62dbf900b..8f438c6a1 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -6,13 +6,14 @@ author: Lednyov Alexey, oscd.community references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ date: 2020/10/16 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' detection: selection: + EventType: SetValue TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - '\Command' diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml index 148886a9a..a6b8a353b 100644 --- a/rules/windows/registry_event/win_outlook_c2_registry_key.yml +++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml @@ -12,12 +12,13 @@ tags: - attack.t1008 - attack.t1546 date: 2021/04/05 -modified: 2021/09/13 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_registry: + EventType: SetValue TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level' Details|contains: '0x00000001' condition: selection_registry diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml index 336b5dc84..089a8cc53 100644 --- a/rules/windows/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -6,6 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 +modified: 2022/01/13 tags: - attack.persistence - attack.t1112 @@ -18,6 +19,7 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: + EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: diff --git a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml index 8c30a7931..cb73fa4c4 100644 --- a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml +++ b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml @@ -3,7 +3,7 @@ id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 -modified: 2021/11/19 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -20,11 +20,13 @@ logsource: product: windows detection: selection1: + EventType: SetValue TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: + EventType: SetValue TargetObject|endswith: - 'Classes\ms-settings\shell\open\command\(Default)' - 'Classes\exefile\shell\open\command\(Default)' From 82f88f194f1b29502a8698eb8833c4edd656a112 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 18:20:24 +0100 Subject: [PATCH 13/90] fix: FPs noticed with Aurora --- .../process_creation_susp_non_exe_image.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml index 5eb1994eb..2af556082 100644 --- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml +++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2021/12/24 +modified: 2022/01/13 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -17,6 +17,8 @@ detection: Image|endswith: '.exe' filter_null: Image: null + filter_registry: + Image: 'Registry' filter_starts: Image|startswith: 'C:\Windows\Installer\MSI' filter_pstarts: @@ -29,6 +31,9 @@ detection: filter_nvidia: Image|contains: 'NVIDIA\NvBackend\' Image|endswith: '.dat' + filter_com: + Image|startswith: 'C:\Windows\System32\' + Image|endswith: '.com' condition: not image_exe and not 1 of filter* falsepositives: - unknown From c0bd1ef9bc036f14bfe2a28bacf213cc1779f759 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 21:07:11 +0100 Subject: [PATCH 14/90] Update sysmon_config_modification.yml --- rules/windows/sysmon/sysmon_config_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index dc24421ae..698bd1fb3 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -1,6 +1,6 @@ title: Sysmon Configuration Change id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 -description: Someone can try to hide from Sysmon +description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration status: experimental author: frack113 date: 2022/01/12 From 21b3e5c6fd89212e5ca04e9245bca85d9acba591 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 21:07:59 +0100 Subject: [PATCH 15/90] Update win_pc_uninstall_sysmon.yml --- rules/windows/process_creation/win_pc_uninstall_sysmon.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml index 11a90070f..e9a92cdbb 100644 --- a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -1,7 +1,7 @@ title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 status: experimental -description: Uninstall Sysinternals Sysmon for Defense Evasion +description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 From 4f6d433c2d69e233bbd198cfcbc7fb3dfc5e3374 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 13 Jan 2022 21:09:26 +0000 Subject: [PATCH 16/90] Detects executable running with non executable extension, used for av bypass --- .../win_run_executable_invalid_extension.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_run_executable_invalid_extension.yml diff --git a/rules/windows/process_creation/win_run_executable_invalid_extension.yml b/rules/windows/process_creation/win_run_executable_invalid_extension.yml new file mode 100644 index 000000000..f323801e0 --- /dev/null +++ b/rules/windows/process_creation/win_run_executable_invalid_extension.yml @@ -0,0 +1,30 @@ +title: Application Executed Non-Executable Extension +id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf +status: experimental +description: Detects execution of files using an invalid file extension +author: Tim Shelton +date: 2022/01/12 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '.exe' + - '.ex_' + - '.com' + - '.cmd' + - '.bat' + - '.bin' + - '.pif' + selection2: + Image|endswith: 'rundll32.exe' + selection2b: + CommandLine|contains: ".dll" + condition: not selection1 or (selection2 and not selection2b) +fields: + - Image + - CommandLine +falsepositives: + - Unknown +level: high From 14ccd6ca8c55c4d3c4830c437583ab83af222641 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 Jan 2022 10:15:03 +0100 Subject: [PATCH 17/90] fix: FPs with rule that looks for executions of files other than .exe https://github.com/SigmaHQ/sigma/issues/2560 --- .../process_creation_susp_non_exe_image.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml index 5eb1994eb..6cc9b2ce6 100644 --- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml +++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2021/12/24 +modified: 2022/01/14 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -17,6 +17,12 @@ detection: Image|endswith: '.exe' filter_null: Image: null + filter_registry: + Image: 'Registry' + filter_empty: + Image: + - '-' + - '' filter_starts: Image|startswith: 'C:\Windows\Installer\MSI' filter_pstarts: From 4d5e87258d0b58ad88d68752f489acff4e2ffc30 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 Jan 2022 11:47:46 +0100 Subject: [PATCH 18/90] Update win_run_executable_invalid_extension.yml --- .../win_run_executable_invalid_extension.yml | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/rules/windows/process_creation/win_run_executable_invalid_extension.yml b/rules/windows/process_creation/win_run_executable_invalid_extension.yml index f323801e0..e3a07fbe1 100644 --- a/rules/windows/process_creation/win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/win_run_executable_invalid_extension.yml @@ -1,27 +1,23 @@ title: Application Executed Non-Executable Extension id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf status: experimental -description: Detects execution of files using an invalid file extension -author: Tim Shelton -date: 2022/01/12 +description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file +references: + - https://twitter.com/mrd0x/status/1481630810495139841?s=12 +author: Tim Shelton, Florian Roth +date: 2022/01/13 logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: - - '.exe' - - '.ex_' - - '.com' - - '.cmd' - - '.bat' - - '.bin' - - '.pif' - selection2: - Image|endswith: 'rundll32.exe' - selection2b: - CommandLine|contains: ".dll" - condition: not selection1 or (selection2 and not selection2b) + selection: + Image|endswith: '\rundll32.exe' + filter_empty: + CommandLine: null + filter: + - CommandLine|contains: '.dll' + - CommandLine: '' + condition: selection and not 1 of filter* fields: - Image - CommandLine From d525203083787e948ed7857c38f49b7bbef3f8b5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 Jan 2022 12:30:16 +0100 Subject: [PATCH 19/90] rule: suspicious rundll32 JS pattern --- ...on_susp_rundll32_js_runhtmlapplication.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_susp_rundll32_js_runhtmlapplication.yml diff --git a/rules/windows/process_creation/process_creation_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/process_creation_susp_rundll32_js_runhtmlapplication.yml new file mode 100644 index 000000000..05d55fb8d --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_rundll32_js_runhtmlapplication.yml @@ -0,0 +1,27 @@ +title: Rundll32 JS RunHTMLApplication Pattern +id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 +status: experimental +description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code +author: Florian Roth +date: 2022/01/14 +references: + - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'rundll32' + - 'javascript' + - '..\..\mshtml,RunHTMLApplication' + selection2: + CommandLine|contains: + - ';document.write();GetObject("script' + condition: 1 of selection* +falsepositives: + - unknown +level: high + From 2c964503e98d039a56075b5865703646a1337b95 Mon Sep 17 00:00:00 2001 From: SimoneCagol <57213014+SimoneCagol@users.noreply.github.com> Date: Fri, 14 Jan 2022 13:05:45 +0100 Subject: [PATCH 20/90] Update sysmon_raw_disk_access_using_illegitimate_tools.yml --- .../sysmon_raw_disk_access_using_illegitimate_tools.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 254351b3b..16802f56e 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -4,7 +4,7 @@ description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community status: test date: 2019/10/22 -modified: 2022/02/02 +modified: 2022/01/02 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: From 0828ff098fbe41eefd832bbc9a65f4debb7214da Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 15 Jan 2022 09:07:26 +0100 Subject: [PATCH 21/90] Fix windows-dns-server --- tools/config/powershell.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 11db7be04..16ffd3a53 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -46,7 +46,6 @@ logsources: windows-dns-server: product: windows service: dns-server - category: dns conditions: LogName: 'DNS Server' windows-dns-server-audit: From 5fd339858a83cfae898e24382e2192c3f7bb2fe1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 15 Jan 2022 10:30:03 +0100 Subject: [PATCH 22/90] Rename powershell_classic --- ...owershell_hosts.yml => posh_pc_alternate_powershell_hosts.yml} | 0 ..._shadow_copies.yml => posh_pc_delete_volume_shadow_copies.yml} | 0 ...wershell_downgrade_attack.yml => posh_pc_downgrade_attack.yml} | 0 .../{powershell_exe_calling_ps.yml => posh_pc_exe_calling_ps.yml} | 0 .../{powershell_classic_powercat.yml => posh_pc_powercat.yml} | 0 ...wershell_session.yml => posh_pc_remote_powershell_session.yml} | 0 ...hell_renamed_powershell.yml => posh_pc_renamed_powershell.yml} | 0 ...and.yml => posh_pc_susp_athremotefxvgpudisablementcommand.yml} | 0 ...nettcpconnection.yml => posh_pc_susp_get_nettcpconnection.yml} | 0 ...lassic_susp_zip_compress.yml => posh_pc_susp_zip_compress.yml} | 0 ...ic_suspicious_download.yml => posh_pc_suspicious_download.yml} | 0 ...dows_defender.yml => posh_pc_tamper_with_windows_defender.yml} | 0 ...owershell.yml => posh_pc_wsman_com_provider_no_powershell.yml} | 0 ...powershell_xor_commandline.yml => posh_pc_xor_commandline.yml} | 0 14 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/powershell_classic/{powershell_classic_alternate_powershell_hosts.yml => posh_pc_alternate_powershell_hosts.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_delete_volume_shadow_copies.yml => posh_pc_delete_volume_shadow_copies.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_downgrade_attack.yml => posh_pc_downgrade_attack.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_exe_calling_ps.yml => posh_pc_exe_calling_ps.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_classic_powercat.yml => posh_pc_powercat.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_classic_remote_powershell_session.yml => posh_pc_remote_powershell_session.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_renamed_powershell.yml => posh_pc_renamed_powershell.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_classic_susp_athremotefxvgpudisablementcommand.yml => posh_pc_susp_athremotefxvgpudisablementcommand.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_pc_susp_get_nettcpconnection.yml => posh_pc_susp_get_nettcpconnection.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_classic_susp_zip_compress.yml => posh_pc_susp_zip_compress.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_classic_suspicious_download.yml => posh_pc_suspicious_download.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_tamper_with_windows_defender.yml => posh_pc_tamper_with_windows_defender.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_wsman_com_provider_no_powershell.yml => posh_pc_wsman_com_provider_no_powershell.yml} (100%) rename rules/windows/powershell/powershell_classic/{powershell_xor_commandline.yml => posh_pc_xor_commandline.yml} (100%) diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml rename to rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml rename to rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml rename to rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml rename to rules/windows/powershell/powershell_classic/posh_pc_powercat.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml rename to rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml rename to rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_pc_susp_get_nettcpconnection.yml rename to rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml rename to rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml rename to rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml rename to rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml rename to rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml diff --git a/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml similarity index 100% rename from rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml rename to rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml From 6badb1311489dac86b5b04d46340df6c4b0496f8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 15 Jan 2022 10:38:27 +0100 Subject: [PATCH 23/90] Rename powershell_module --- ...owershell_hosts.yml => posh_pm_alternate_powershell_hosts.yml} | 0 ...ll_bad_opsec_artifacts.yml => posh_pm_bad_opsec_artifacts.yml} | 0 ...owershell_history.yml => posh_pm_clear_powershell_history.yml} | 0 ...ll_decompress_commands.yml => posh_pm_decompress_commands.yml} | 0 .../{powershell_get_clipboard.yml => posh_pm_get_clipboard.yml} | 0 ...e_obfuscation_clip.yml => posh_pm_invoke_obfuscation_clip.yml} | 0 ...ated_iex.yml => posh_pm_invoke_obfuscation_obfuscated_iex.yml} | 0 ...obfuscation_stdin.yml => posh_pm_invoke_obfuscation_stdin.yml} | 0 ...oke_obfuscation_var.yml => posh_pm_invoke_obfuscation_var.yml} | 0 ...a_compress.yml => posh_pm_invoke_obfuscation_via_compress.yml} | 0 ...n_via_rundll.yml => posh_pm_invoke_obfuscation_via_rundll.yml} | 0 ...ion_via_stdin.yml => posh_pm_invoke_obfuscation_via_stdin.yml} | 0 ...a_use_clip.yml => posh_pm_invoke_obfuscation_via_use_clip.yml} | 0 ...use_mhsta.yml => posh_pm_invoke_obfuscation_via_use_mhsta.yml} | 0 ...ndll32.yml => posh_pm_invoke_obfuscation_via_use_rundll32.yml} | 0 ...scation_via_var.yml => posh_pm_invoke_obfuscation_via_var.yml} | 0 .../{powershell_powercat.yml => posh_pm_powercat.yml} | 0 ...wershell_session.yml => posh_pm_remote_powershell_session.yml} | 0 ...and.yml => posh_pm_susp_athremotefxvgpudisablementcommand.yml} | 0 ...nettcpconnection.yml => posh_pm_susp_get_nettcpconnection.yml} | 0 ...rshell_susp_zip_compress.yml => posh_pm_susp_zip_compress.yml} | 0 ...ous_ad_group_reco.yml => posh_pm_suspicious_ad_group_reco.yml} | 0 ...ownload_in_contextinfo.yml => posh_pm_suspicious_download.yml} | 0 ..._contextinfo.yml => posh_pm_suspicious_invocation_generic.yml} | 0 ...contextinfo.yml => posh_pm_suspicious_invocation_specific.yml} | 0 ...cal_group_reco.yml => posh_pm_suspicious_local_group_reco.yml} | 0 ...s_smb_share_reco.yml => posh_pm_suspicious_smb_share_reco.yml} | 0 ...n_contextinfo.yml => posh_pm_syncappvpublishingserver_exe.yml} | 0 28 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/powershell_module/{powershell_alternate_powershell_hosts.yml => posh_pm_alternate_powershell_hosts.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_bad_opsec_artifacts.yml => posh_pm_bad_opsec_artifacts.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_clear_powershell_history.yml => posh_pm_clear_powershell_history.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_decompress_commands.yml => posh_pm_decompress_commands.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_get_clipboard.yml => posh_pm_get_clipboard.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_clip.yml => posh_pm_invoke_obfuscation_clip.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_obfuscated_iex.yml => posh_pm_invoke_obfuscation_obfuscated_iex.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_stdin.yml => posh_pm_invoke_obfuscation_stdin.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_var.yml => posh_pm_invoke_obfuscation_var.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_via_compress.yml => posh_pm_invoke_obfuscation_via_compress.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_via_rundll.yml => posh_pm_invoke_obfuscation_via_rundll.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_via_stdin.yml => posh_pm_invoke_obfuscation_via_stdin.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_via_use_clip.yml => posh_pm_invoke_obfuscation_via_use_clip.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_via_use_mhsta.yml => posh_pm_invoke_obfuscation_via_use_mhsta.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_via_use_rundll32.yml => posh_pm_invoke_obfuscation_via_use_rundll32.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_invoke_obfuscation_via_var.yml => posh_pm_invoke_obfuscation_via_var.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_powercat.yml => posh_pm_powercat.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_remote_powershell_session.yml => posh_pm_remote_powershell_session.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_susp_athremotefxvgpudisablementcommand.yml => posh_pm_susp_athremotefxvgpudisablementcommand.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_pm_susp_get_nettcpconnection.yml => posh_pm_susp_get_nettcpconnection.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_susp_zip_compress.yml => posh_pm_susp_zip_compress.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_pm_suspicious_ad_group_reco.yml => posh_pm_suspicious_ad_group_reco.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_suspicious_download_in_contextinfo.yml => posh_pm_suspicious_download.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_suspicious_invocation_generic_in_contextinfo.yml => posh_pm_suspicious_invocation_generic.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_suspicious_invocation_specific_in_contextinfo.yml => posh_pm_suspicious_invocation_specific.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_pm_suspicious_local_group_reco.yml => posh_pm_suspicious_local_group_reco.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_pm_suspicious_smb_share_reco.yml => posh_pm_suspicious_smb_share_reco.yml} (100%) rename rules/windows/powershell/powershell_module/{powershell_syncappvpublishingserver_exe_in_contextinfo.yml => posh_pm_syncappvpublishingserver_exe.yml} (100%) diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml rename to rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml rename to rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_decompress_commands.yml rename to rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_get_clipboard.yml rename to rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml rename to rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_powercat.yml rename to rules/windows/powershell/powershell_module/posh_pm_powercat.yml diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml rename to rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_module/powershell_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_susp_get_nettcpconnection.yml rename to rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml rename to rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_module/powershell_pm_suspicious_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_suspicious_ad_group_reco.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml diff --git a/rules/windows/powershell/powershell_module/powershell_pm_suspicious_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_suspicious_local_group_reco.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml diff --git a/rules/windows/powershell/powershell_module/powershell_pm_suspicious_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_pm_suspicious_smb_share_reco.yml rename to rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml diff --git a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml similarity index 100% rename from rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml rename to rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml From 65a268b0b3f9552556c7303c1b7fc2f4254c797d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 15 Jan 2022 10:54:21 +0100 Subject: [PATCH 24/90] Rename powershell_script --- ...ome_login_data.yml => posh_ps_access_to_chrome_login_data.yml} | 0 ...rshell_accessing_win_api.yml => posh_ps_accessing_win_api.yml} | 0 ...rshell_adrecon_execution.yml => posh_ps_adrecon_execution.yml} | 0 ..._automated_collection.yml => posh_ps_automated_collection.yml} | 0 ...ll_azurehound_commands.yml => posh_ps_azurehound_commands.yml} | 0 ...ps_capture_screenshots.yml => posh_ps_capture_screenshots.yml} | 0 ...vocation_lolscript.yml => posh_ps_cl_invocation_lolscript.yml} | 0 ...script_count.yml => posh_ps_cl_invocation_lolscript_count.yml} | 0 ...iers_lolscript.yml => posh_ps_cl_mutexverifiers_lolscript.yml} | 0 ...pt_count.yml => posh_ps_cl_mutexverifiers_lolscript_count.yml} | 0 ...e_history.yml => posh_ps_clearing_windows_console_history.yml} | 0 ...mdlet_scheduled_task.yml => posh_ps_cmdlet_scheduled_task.yml} | 0 ...l_ps_copy_item_system32.yml => posh_ps_copy_item_system32.yml} | 0 .../{powershell_ps_cor_profiler.yml => posh_ps_cor_profiler.yml} | 0 ...rshell_create_local_user.yml => posh_ps_create_local_user.yml} | 0 ...powershell_data_compressed.yml => posh_ps_data_compressed.yml} | 0 .../{powershell_detect_vm_env.yml => posh_ps_detect_vm_env.yml} | 0 ...gement.yml => posh_ps_directoryservices_accountmanagement.yml} | 0 ...wershell_dnscat_execution.yml => posh_ps_dnscat_execution.yml} | 0 ...r.yml => posh_ps_dump_password_windows_credential_manager.yml} | 0 ...ell_ps_enable_psremoting.yml => posh_ps_enable_psremoting.yml} | 0 ... => posh_ps_enumerate_password_windows_credential_manager.yml} | 0 ...ory_discovery.yml => posh_ps_file_and_directory_discovery.yml} | 0 ...ershell_ps_get_acl_service.yml => posh_ps_get_acl_service.yml} | 0 ...hilditem_bookmarks.yml => posh_ps_get_childitem_bookmarks.yml} | 0 ...rshell_icmp_exfiltration.yml => posh_ps_icmp_exfiltration.yml} | 0 ...nvoke_command_remote.yml => posh_ps_invoke_command_remote.yml} | 0 ...oke_dnsexfiltration.yml => posh_ps_invoke_dnsexfiltration.yml} | 0 ...wershell_invoke_nightmare.yml => posh_ps_invoke_nightmare.yml} | 0 ...in_scriptblocktext.yml => posh_ps_invoke_obfuscation_clip.yml} | 0 ...locktext.yml => posh_ps_invoke_obfuscation_obfuscated_iex.yml} | 0 ...n_scriptblocktext.yml => posh_ps_invoke_obfuscation_stdin.yml} | 0 ..._in_scriptblocktext.yml => posh_ps_invoke_obfuscation_var.yml} | 0 ...tblocktext.yml => posh_ps_invoke_obfuscation_via_compress.yml} | 0 ...iptblocktext.yml => posh_ps_invoke_obfuscation_via_rundll.yml} | 0 ...riptblocktext.yml => posh_ps_invoke_obfuscation_via_stdin.yml} | 0 ...tblocktext.yml => posh_ps_invoke_obfuscation_via_use_clip.yml} | 0 ...blocktext.yml => posh_ps_invoke_obfuscation_via_use_mhsta.yml} | 0 ...cktext.yml => posh_ps_invoke_obfuscation_via_use_rundll32.yml} | 0 ...scriptblocktext.yml => posh_ps_invoke_obfuscation_via_var.yml} | 0 .../{powershell_keylogging.yml => posh_ps_keylogging.yml} | 0 .../{powershell_ps_localuser.yml => posh_ps_localuser.yml} | 0 ...alicious_commandlets.yml => posh_ps_malicious_commandlets.yml} | 0 ...hell_malicious_keywords.yml => posh_ps_malicious_keywords.yml} | 0 ...icinfo.yml => posh_ps_memorydump_getstoragediagnosticinfo.yml} | 0 ..._commandlets.yml => posh_ps_nishang_malicious_commandlets.yml} | 0 ...powershell_ntfs_ads_access.yml => posh_ps_ntfs_ads_access.yml} | 0 ...t_registerxll.yml => posh_ps_office_comobject_registerxll.yml} | 0 ...ommandlets.yml => posh_ps_powerview_malicious_commandlets.yml} | 0 ...hell_prompt_credentials.yml => posh_ps_prompt_credentials.yml} | 0 .../{powershell_psattack.yml => posh_ps_psattack.yml} | 0 ...e_session_creation.yml => posh_ps_remote_session_creation.yml} | 0 ...st_kerberos_ticket.yml => posh_ps_request_kerberos_ticket.yml} | 0 ...icate_installed.yml => posh_ps_root_certificate_installed.yml} | 0 ...ware_discovery.yml => posh_ps_security_software_discovery.yml} | 0 ...shell_ps_send_mailmessage.yml => posh_ps_send_mailmessage.yml} | 0 ...ecure_level.yml => posh_ps_set_policies_to_unsecure_level.yml} | 0 .../{powershell_shellcode_b64.yml => posh_ps_shellcode_b64.yml} | 0 ...mmandlets.yml => posh_ps_shellintel_malicious_commandlets.yml} | 0 ...hell_software_discovery.yml => posh_ps_software_discovery.yml} | 0 ...stream.yml => posh_ps_store_file_in_alternate_data_stream.yml} | 0 ...ve_adgroupmember.yml => posh_ps_susp_remove_adgroupmember.yml} | 0 ...owershell_ps_susp_wallpaper.yml => posh_ps_susp_wallpaper.yml} | 0 ...usp_win32_shadowcopy.yml => posh_ps_susp_win32_shadowcopy.yml} | 0 ...press_in_scriptblocktext.yml => posh_ps_susp_zip_compress.yml} | 0 ...ous_ad_group_reco.yml => posh_ps_suspicious_ad_group_reco.yml} | 0 ...oad_in_scriptblocktext.yml => posh_ps_suspicious_download.yml} | 0 ...tch_script.yml => posh_ps_suspicious_execute_batch_script.yml} | 0 ...rtificate.yml => posh_ps_suspicious_export_pfxcertificate.yml} | 0 ...uspicious_extracting.yml => posh_ps_suspicious_extracting.yml} | 0 ...tprocess_lsass.yml => posh_ps_suspicious_getprocess_lsass.yml} | 0 ...iptblocktext.yml => posh_ps_suspicious_invocation_generic.yml} | 0 ...ipblocktext.yml => posh_ps_suspicious_invocation_specific.yml} | 0 ...ll_suspicious_keywords.yml => posh_ps_suspicious_keywords.yml} | 0 ...cal_group_reco.yml => posh_ps_suspicious_local_group_reco.yml} | 0 ...uspicious_mail_acces.yml => posh_ps_suspicious_mail_acces.yml} | 0 ...deletion.yml => posh_ps_suspicious_mounted_share_deletion.yml} | 0 ...orkcredential.yml => posh_ps_suspicious_networkcredential.yml} | 0 ...picious_new_psdrive.yml => posh_ps_suspicious_new_psdrive.yml} | 0 ...wershell_suspicious_recon.yml => posh_ps_suspicious_recon.yml} | 0 ...s_smb_share_reco.yml => posh_ps_suspicious_smb_share_reco.yml} | 0 ...win32_pnpentity.yml => posh_ps_suspicious_win32_pnpentity.yml} | 0 ...picious_windowstyle.yml => posh_ps_suspicious_windowstyle.yml} | 0 ...riptblocktext.yml => posh_ps_syncappvpublishingserver_exe.yml} | 0 .../{powershell_timestomp.yml => posh_ps_timestomp.yml} | 0 ...wershell_trigger_profiles.yml => posh_ps_trigger_profiles.yml} | 0 .../{powershell_ps_upload.yml => posh_ps_upload.yml} | 0 .../{powershell_web_request.yml => posh_ps_web_request.yml} | 0 ...disabled.yml => posh_ps_windows_firewall_profile_disabled.yml} | 0 ...ll_winlogon_helper_dll.yml => posh_ps_winlogon_helper_dll.yml} | 0 ...powershell_wmi_persistence.yml => posh_ps_wmi_persistence.yml} | 0 .../{powershell_wmimplant.yml => posh_ps_wmimplant.yml} | 0 92 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/powershell_script/{powershell_ps_access_to_chrome_login_data.yml => posh_ps_access_to_chrome_login_data.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_accessing_win_api.yml => posh_ps_accessing_win_api.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_adrecon_execution.yml => posh_ps_adrecon_execution.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_automated_collection.yml => posh_ps_automated_collection.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_azurehound_commands.yml => posh_ps_azurehound_commands.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_capture_screenshots.yml => posh_ps_capture_screenshots.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_cl_invocation_lolscript.yml => posh_ps_cl_invocation_lolscript.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_cl_invocation_lolscript_count.yml => posh_ps_cl_invocation_lolscript_count.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_cl_mutexverifiers_lolscript.yml => posh_ps_cl_mutexverifiers_lolscript.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_cl_mutexverifiers_lolscript_count.yml => posh_ps_cl_mutexverifiers_lolscript_count.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_clearing_windows_console_history.yml => posh_ps_clearing_windows_console_history.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_cmdlet_scheduled_task.yml => posh_ps_cmdlet_scheduled_task.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_copy_item_system32.yml => posh_ps_copy_item_system32.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_cor_profiler.yml => posh_ps_cor_profiler.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_create_local_user.yml => posh_ps_create_local_user.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_data_compressed.yml => posh_ps_data_compressed.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_detect_vm_env.yml => posh_ps_detect_vm_env.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_directoryservices_accountmanagement.yml => posh_ps_directoryservices_accountmanagement.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_dnscat_execution.yml => posh_ps_dnscat_execution.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_dump_password_windows_credential_manager.yml => posh_ps_dump_password_windows_credential_manager.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_enable_psremoting.yml => posh_ps_enable_psremoting.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_enumerate_password_windows_credential_manager.yml => posh_ps_enumerate_password_windows_credential_manager.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_file_and_directory_discovery.yml => posh_ps_file_and_directory_discovery.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_get_acl_service.yml => posh_ps_get_acl_service.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_get_childitem_bookmarks.yml => posh_ps_get_childitem_bookmarks.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_icmp_exfiltration.yml => posh_ps_icmp_exfiltration.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_invoke_command_remote.yml => posh_ps_invoke_command_remote.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_invoke_dnsexfiltration.yml => posh_ps_invoke_dnsexfiltration.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_nightmare.yml => posh_ps_invoke_nightmare.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_clip_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_clip.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_obfuscated_iex.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_stdin.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_var_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_var.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_via_compress.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_via_rundll.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_via_stdin.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_via_use_clip.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_via_use_mhsta.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_via_use_rundll32.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml => posh_ps_invoke_obfuscation_via_var.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_keylogging.yml => posh_ps_keylogging.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_localuser.yml => posh_ps_localuser.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_malicious_commandlets.yml => posh_ps_malicious_commandlets.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_malicious_keywords.yml => posh_ps_malicious_keywords.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_memorydump_getstoragediagnosticinfo.yml => posh_ps_memorydump_getstoragediagnosticinfo.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_nishang_malicious_commandlets.yml => posh_ps_nishang_malicious_commandlets.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ntfs_ads_access.yml => posh_ps_ntfs_ads_access.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_office_comobject_registerxll.yml => posh_ps_office_comobject_registerxll.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_powerview_malicious_commandlets.yml => posh_ps_powerview_malicious_commandlets.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_prompt_credentials.yml => posh_ps_prompt_credentials.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_psattack.yml => posh_ps_psattack.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_remote_session_creation.yml => posh_ps_remote_session_creation.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_request_kerberos_ticket.yml => posh_ps_request_kerberos_ticket.yml} (100%) rename rules/windows/powershell/powershell_script/{win_root_certificate_installed.yml => posh_ps_root_certificate_installed.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_security_software_discovery.yml => posh_ps_security_software_discovery.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_send_mailmessage.yml => posh_ps_send_mailmessage.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_set_policies_to_unsecure_level.yml => posh_ps_set_policies_to_unsecure_level.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_shellcode_b64.yml => posh_ps_shellcode_b64.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_shellintel_malicious_commandlets.yml => posh_ps_shellintel_malicious_commandlets.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_software_discovery.yml => posh_ps_software_discovery.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_store_file_in_alternate_data_stream.yml => posh_ps_store_file_in_alternate_data_stream.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_susp_remove_adgroupmember.yml => posh_ps_susp_remove_adgroupmember.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_susp_wallpaper.yml => posh_ps_susp_wallpaper.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_susp_win32_shadowcopy.yml => posh_ps_susp_win32_shadowcopy.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_susp_zip_compress_in_scriptblocktext.yml => posh_ps_susp_zip_compress.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_suspicious_ad_group_reco.yml => posh_ps_suspicious_ad_group_reco.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_download_in_scriptblocktext.yml => posh_ps_suspicious_download.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_suspicious_execute_batch_script.yml => posh_ps_suspicious_execute_batch_script.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_export_pfxcertificate.yml => posh_ps_suspicious_export_pfxcertificate.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_extracting.yml => posh_ps_suspicious_extracting.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_getprocess_lsass.yml => posh_ps_suspicious_getprocess_lsass.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_invocation_generic_in_scriptblocktext.yml => posh_ps_suspicious_invocation_generic.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_invocation_specific_in_scripblocktext.yml => posh_ps_suspicious_invocation_specific.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_keywords.yml => posh_ps_suspicious_keywords.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_suspicious_local_group_reco.yml => posh_ps_suspicious_local_group_reco.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_mail_acces.yml => posh_ps_suspicious_mail_acces.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_mounted_share_deletion.yml => posh_ps_suspicious_mounted_share_deletion.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_suspicious_networkcredential.yml => posh_ps_suspicious_networkcredential.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_suspicious_new_psdrive.yml => posh_ps_suspicious_new_psdrive.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_recon.yml => posh_ps_suspicious_recon.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_suspicious_smb_share_reco.yml => posh_ps_suspicious_smb_share_reco.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_win32_pnpentity.yml => posh_ps_suspicious_win32_pnpentity.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_suspicious_windowstyle.yml => posh_ps_suspicious_windowstyle.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml => posh_ps_syncappvpublishingserver_exe.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_timestomp.yml => posh_ps_timestomp.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_trigger_profiles.yml => posh_ps_trigger_profiles.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_ps_upload.yml => posh_ps_upload.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_web_request.yml => posh_ps_web_request.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_windows_firewall_profile_disabled.yml => posh_ps_windows_firewall_profile_disabled.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_winlogon_helper_dll.yml => posh_ps_winlogon_helper_dll.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_wmi_persistence.yml => posh_ps_wmi_persistence.yml} (100%) rename rules/windows/powershell/powershell_script/{powershell_wmimplant.yml => posh_ps_wmimplant.yml} (100%) diff --git a/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml rename to rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml diff --git a/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml rename to rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml diff --git a/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml rename to rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml diff --git a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_automated_collection.yml rename to rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml rename to rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_capture_screenshots.yml rename to rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml rename to rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_script/powershell_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_clearing_windows_console_history.yml rename to rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_cmdlet_scheduled_task.yml rename to rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml rename to rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_cor_profiler.yml rename to rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml diff --git a/rules/windows/powershell/powershell_script/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_create_local_user.yml rename to rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml diff --git a/rules/windows/powershell/powershell_script/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_data_compressed.yml rename to rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml rename to rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_directoryservices_accountmanagement.yml rename to rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml diff --git a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml rename to rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml rename to rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml rename to rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml rename to rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_file_and_directory_discovery.yml rename to rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_get_acl_service.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_get_childitem_bookmarks.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml diff --git a/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml rename to rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml diff --git a/rules/windows/powershell/powershell_script/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_keylogging.yml rename to rules/windows/powershell/powershell_script/posh_ps_keylogging.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_localuser.yml rename to rules/windows/powershell/powershell_script/posh_ps_localuser.yml diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml rename to rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml diff --git a/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml rename to rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml diff --git a/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml rename to rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_office_comobject_registerxll.yml rename to rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml diff --git a/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml rename to rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml diff --git a/rules/windows/powershell/powershell_script/powershell_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_psattack.yml rename to rules/windows/powershell/powershell_script/posh_ps_psattack.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml rename to rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_request_kerberos_ticket.yml rename to rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml diff --git a/rules/windows/powershell/powershell_script/win_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml similarity index 100% rename from rules/windows/powershell/powershell_script/win_root_certificate_installed.yml rename to rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml rename to rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml rename to rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml diff --git a/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml rename to rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml diff --git a/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml rename to rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml diff --git a/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_script/powershell_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_software_discovery.yml rename to rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml diff --git a/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml rename to rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml diff --git a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_ad_group_reco.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_ad_group_reco.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_execute_batch_script.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_execute_batch_script.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_export_pfxcertificate.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_export_pfxcertificate.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_extracting.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_extracting.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_local_group_reco.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_mail_acces.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_mail_acces.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_mounted_share_deletion.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_networkcredential.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_new_psdrive.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_new_psdrive.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_recon.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_recon.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_suspicious_smb_share_reco.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_smb_share_reco.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml rename to rules/windows/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml diff --git a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml rename to rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml diff --git a/rules/windows/powershell/powershell_script/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_timestomp.yml rename to rules/windows/powershell/powershell_script/posh_ps_timestomp.yml diff --git a/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml rename to rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml diff --git a/rules/windows/powershell/powershell_script/powershell_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_ps_upload.yml rename to rules/windows/powershell/powershell_script/posh_ps_upload.yml diff --git a/rules/windows/powershell/powershell_script/powershell_web_request.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_web_request.yml rename to rules/windows/powershell/powershell_script/posh_ps_web_request.yml diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml rename to rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml diff --git a/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml rename to rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml diff --git a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml rename to rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml similarity index 100% rename from rules/windows/powershell/powershell_script/powershell_wmimplant.yml rename to rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml From cb938c14df0fae93a684d4b597855a5d2f217a50 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 15 Jan 2022 17:04:03 +0100 Subject: [PATCH 25/90] Windows Redcannary --- .../win_fd_delete_prefetch_file.yml | 23 ++++++++++++++ .../posh_ps_remove_item_path.yml | 25 ++++++++++++++++ .../posh_ps_suspicious_start_process.yml | 26 ++++++++++++++++ .../process_creation/win_pc_cmd_delete.yml | 30 +++++++++++++++++++ .../process_creation/win_pc_run_from_zip.yml | 21 +++++++++++++ .../win_pc_susp_char_in_cmd.yml | 30 +++++++++++++++++++ 6 files changed, 155 insertions(+) create mode 100644 rules/windows/file_delete/win_fd_delete_prefetch_file.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml create mode 100644 rules/windows/process_creation/win_pc_cmd_delete.yml create mode 100644 rules/windows/process_creation/win_pc_run_from_zip.yml create mode 100644 rules/windows/process_creation/win_pc_susp_char_in_cmd.yml diff --git a/rules/windows/file_delete/win_fd_delete_prefetch_file.yml b/rules/windows/file_delete/win_fd_delete_prefetch_file.yml new file mode 100644 index 000000000..60b0806f2 --- /dev/null +++ b/rules/windows/file_delete/win_fd_delete_prefetch_file.yml @@ -0,0 +1,23 @@ +title: Delete Prefetch File +id: 4f14dd15-1625-451c-afa6-af6505a18e26 +status: experimental +description: Deletion of prefetch files is a known anti-forensic technique +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-9---delete-prefetch-file +date: 2022/01/15 +logsource: + product: windows + category: file_delete +detection: + selection_file: + TargetFilename|endswith: .pf + selection_valid: + Image: C:\Windows\system32\svchost.exe + condition: selection_file and not selection_valid +falsepositives: + - unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml new file mode 100644 index 000000000..cda5dcbf2 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -0,0 +1,25 @@ +title: Use Remove-Item to Delete File +id: b8af5f36-1361-4ebe-9e76-e36128d947bf +status: experimental +description: Powershell Remove-Item with -Path to delete a file or a folder with "-Recurse" +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 +date: 2022/01/15 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Remove-Item + - '-Path ' + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml new file mode 100644 index 000000000..196e8c2b3 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml @@ -0,0 +1,26 @@ +title: Suspicious Start-Process PassThru +id: 0718cd72-f316-4aa2-988f-838ea8533277 +status: experimental +description: Powershell use PassThru option to start in background +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +date: 2022/01/15 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Start-Process + - '-PassThru ' + - '-FilePath ' + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1036.003 diff --git a/rules/windows/process_creation/win_pc_cmd_delete.yml b/rules/windows/process_creation/win_pc_cmd_delete.yml new file mode 100644 index 000000000..b72c3a0f5 --- /dev/null +++ b/rules/windows/process_creation/win_pc_cmd_delete.yml @@ -0,0 +1,30 @@ +title: Windows Cmd Delete File +id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 +status: experimental +description: | + Adversaries may delete files left behind by the actions of their intrusion activity. + Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. + Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +author: frack113 +date: 2022/01/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|contains|all: + - 'del ' + - /f + - Image|contains|all: + - rmdir + - /s + - /q + condition: selection +falsepositives: + - Legitim script +level: low +tags: + - attack.defense_evasion + - attack.t1070.004 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_run_from_zip.yml b/rules/windows/process_creation/win_pc_run_from_zip.yml new file mode 100644 index 000000000..e7fc41db3 --- /dev/null +++ b/rules/windows/process_creation/win_pc_run_from_zip.yml @@ -0,0 +1,21 @@ +title: Run from a Zip File +id: 1a70042a-6622-4a2b-8958-267625349abf +status: experimental +description: Payloads may be compressed, archived, or encrypted in order to avoid detection +author: frack113 +date: 2021/12/26 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: '.zip\' + condition: selection +falsepositives: + - unknown +level: medium +tags: + - attack.impact + - attack.t1485 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml b/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml new file mode 100644 index 000000000..791898f77 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml @@ -0,0 +1,30 @@ +title: Obfuscated Command Line Using Special Unicode Characters +id: e0552b19-5a83-4222-b141-b36184bb8d79 +status: experimental +description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +author: frack113 +references: + - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http +date: 2022/01/15 +logsource: + category: process_creation + product: windows +detection: + selection: + #find the sysmon event + CommandLine|contains: + - 'â' + - '€' + - '£' + - '¯' + - '®' + - 'µ' + - '¶' + condition: selection +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1027 \ No newline at end of file From 38ddf072916f5e408f322a92beb000b554b818ce Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 15 Jan 2022 23:31:51 +0100 Subject: [PATCH 26/90] Add french user --- .../win_fd_delete_prefetch_file.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/windows/file_delete/win_fd_delete_prefetch_file.yml diff --git a/rules/windows/file_delete/win_fd_delete_prefetch_file.yml b/rules/windows/file_delete/win_fd_delete_prefetch_file.yml deleted file mode 100644 index 60b0806f2..000000000 --- a/rules/windows/file_delete/win_fd_delete_prefetch_file.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Delete Prefetch File -id: 4f14dd15-1625-451c-afa6-af6505a18e26 -status: experimental -description: Deletion of prefetch files is a known anti-forensic technique -author: frack113 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-9---delete-prefetch-file -date: 2022/01/15 -logsource: - product: windows - category: file_delete -detection: - selection_file: - TargetFilename|endswith: .pf - selection_valid: - Image: C:\Windows\system32\svchost.exe - condition: selection_file and not selection_valid -falsepositives: - - unknown -level: medium -tags: - - attack.defense_evasion - - attack.t1070.004 From c4f4b55920adca1d2a1b71ab4bf1c86f60ddf860 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 15 Jan 2022 23:33:36 +0100 Subject: [PATCH 27/90] Add french user --- rules/windows/file_delete/sysmon_delete_prefetch.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml index 451971948..954dd6b04 100755 --- a/rules/windows/file_delete/sysmon_delete_prefetch.yml +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -5,6 +5,7 @@ description: Detects the deletion of a prefetch file (AntiForensic) level: high author: Cedric MAURUGEON date: 2021/09/29 +modified: 2022/01/15 tags: - attack.defense_evasion - attack.t1070.004 @@ -17,7 +18,9 @@ detection: TargetFilename|endswith: '.pf' exception: Image: 'C:\windows\system32\svchost.exe' - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings condition: selection and not exception falsepositives: - Unknown From 5890c1bb20aed320763abfafdd1a94c7a0605c17 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 16 Jan 2022 08:56:51 +0100 Subject: [PATCH 28/90] Fix logsource --- .../win_net_share_obj_susp_desktop_ini.yml | 4 +- tools/config/generic/windows-services.yml | 148 ++++++++++++++++++ 2 files changed, 150 insertions(+), 2 deletions(-) rename rules/windows/{file_event => builtin/security}/win_net_share_obj_susp_desktop_ini.yml (95%) create mode 100644 tools/config/generic/windows-services.yml diff --git a/rules/windows/file_event/win_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml similarity index 95% rename from rules/windows/file_event/win_net_share_obj_susp_desktop_ini.yml rename to rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml index 585fa2ff6..021f753ba 100755 --- a/rules/windows/file_event/win_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml @@ -6,10 +6,10 @@ author: Tim Shelton (HAWK.IO) references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2021/12/06 -modified: 2021/12/06 +modified: 2022/01/16 logsource: product: windows - category: security + service: security detection: selection: EventID: 5145 diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml new file mode 100644 index 000000000..910d58f04 --- /dev/null +++ b/tools/config/generic/windows-services.yml @@ -0,0 +1,148 @@ +title: Conversion of Generic Windows Service to Channel and EventID +order: 15 +logsources: + ps_module: + category: ps_module + product: windows + conditions: + EventID: 4103 + rewrite: + product: windows + service: powershell + ps_script: + category: ps_script + product: windows + conditions: + EventID: 4104 + rewrite: + product: windows + service: powershell + # for the "classic" channel + ps_classic_start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic + ps_classic_provider_start: + category: ps_classic_provider_start + product: windows + conditions: + EventID: 600 + rewrite: + product: windows + service: powershell-classic + ps_classic_script: + category: ps_classic_script + product: windows + conditions: + EventID: 800 + rewrite: + product: windows + service: powershell-classic + windows-application: + product: windows + service: application + conditions: + Channel: Application + windows-security: + product: windows + service: security + conditions: + Channel: Security + windows-system: + product: windows + service: system + conditions: + Channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + Channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + Channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + Channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + Channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + Channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + Channel: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + Channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + Channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + Channel: 'Microsoft-Windows-PrintService/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + Channel: 'Microsoft-Windows-SmbClient/Security' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + Channel: 'MSExchange Management' + windows-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + Channel: 'Microsoft-ServiceBus-Client' + windows-ladp-client-debug: + product: windows + service: ldap_debug + conditions: + Channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-taskscheduler-operational: + product: windows + service: taskscheduler + conditions: + Channel: 'Microsoft-Windows-TaskScheduler/Operational' + windows-wmi-activity-Operational: + product: windows + service: wmi + conditions: + Channel: 'Microsoft-Windows-WMI-Activity/Operational' \ No newline at end of file From 262cb31143573e77b7bf06dc896eca8d1e06d4d8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 16 Jan 2022 11:15:50 +0100 Subject: [PATCH 29/90] Fix CommandLine Forget to copy the correct from Test VM --- rules/windows/process_creation/win_pc_cmd_delete.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_pc_cmd_delete.yml b/rules/windows/process_creation/win_pc_cmd_delete.yml index b72c3a0f5..6b9cba57b 100644 --- a/rules/windows/process_creation/win_pc_cmd_delete.yml +++ b/rules/windows/process_creation/win_pc_cmd_delete.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection: - - Image|contains|all: + - CommandLine|contains|all: - 'del ' - /f - - Image|contains|all: + - CommandLine|contains|all: - rmdir - /s - /q @@ -27,4 +27,4 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1070.004 \ No newline at end of file + - attack.t1070.004 From 12f0d6dfab4dc518647e0474a6801c09ca738f95 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 16 Jan 2022 14:47:56 +0100 Subject: [PATCH 30/90] Windows Redcannary --- .../file_delete/win_fd_delete_appli_log.yml | 24 ++++++++++++ .../network_connection/win_nc_msiexec.yml | 25 +++++++++++++ .../posh_ps_tamper_defender.yml | 33 +++++++++++++++++ .../process_creation/win_pc_dsim_remove.yml | 37 +++++++++++++++++++ .../win_pc_msiexec_execute_dll.yml | 27 ++++++++++++++ .../win_pc_msiexec_install_quiet.yml | 27 ++++++++++++++ .../win_re_disable_administrative_share.yml | 26 +++++++++++++ 7 files changed, 199 insertions(+) create mode 100644 rules/windows/file_delete/win_fd_delete_appli_log.yml create mode 100644 rules/windows/network_connection/win_nc_msiexec.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml create mode 100644 rules/windows/process_creation/win_pc_dsim_remove.yml create mode 100644 rules/windows/process_creation/win_pc_msiexec_execute_dll.yml create mode 100644 rules/windows/process_creation/win_pc_msiexec_install_quiet.yml create mode 100644 rules/windows/registry_event/win_re_disable_administrative_share.yml diff --git a/rules/windows/file_delete/win_fd_delete_appli_log.yml b/rules/windows/file_delete/win_fd_delete_appli_log.yml new file mode 100644 index 000000000..a2f9df494 --- /dev/null +++ b/rules/windows/file_delete/win_fd_delete_appli_log.yml @@ -0,0 +1,24 @@ +title: Delete Log from Application +id: b1decb61-ed83-4339-8e95-53ea51901720 +status: experimental +description: Deletion of log files is a known anti-forensic technique +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md +date: 2022/01/16 +logsource: + product: windows + category: file_delete +detection: + selection_teamviewer: + TargetFilename|endswith: '.log' + TargetFilename|contains: '\TeamViewer_' + filter: + Image: C:\Windows\system32\svchost.exe + condition: selection_teamviewer and not filter +falsepositives: + - unknown +level: low +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/network_connection/win_nc_msiexec.yml b/rules/windows/network_connection/win_nc_msiexec.yml new file mode 100644 index 000000000..4233f744c --- /dev/null +++ b/rules/windows/network_connection/win_nc_msiexec.yml @@ -0,0 +1,25 @@ +title: Msiexec Initiated Connection +id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f +status: experimental +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +author: frack113 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +date: 2022/01/16 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + Image|endswith: '\msiexec.exe' + condition: selection +falsepositives: + - Legitimate msiexec over networks +level: medium +tags: + - attack.defense_evasion + - attack.t1218.007 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml new file mode 100644 index 000000000..170af32d9 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -0,0 +1,33 @@ +title: Suspicious Start-Process PassThru +id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 +related: + - id: ec19ebab-72dc-40e1-9728-4c0b805d722c + type: derived +status: experimental +description: Attempting to disable scheduled scanning and other parts of windows defender atp. +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps +date: 2022/01/16 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Set-MpPreference' + - ' 1' + ScriptBlockText|contains: + - DisableRealtimeMonitoring + - DisableBehaviorMonitoring + - DisableScriptScanning + - DisableBlockAtFirstSeen + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/win_pc_dsim_remove.yml b/rules/windows/process_creation/win_pc_dsim_remove.yml new file mode 100644 index 000000000..0f297399c --- /dev/null +++ b/rules/windows/process_creation/win_pc_dsim_remove.yml @@ -0,0 +1,37 @@ +title: Dism Remove Online Package +id: 43e32da2-fdd0-4156-90de-50dfd62636f9 +status: experimental +description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +author: frack113 +date: 2022/01/16 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism +logsource: + category: process_creation + product: windows +detection: + selection_dismhost: + Image|endswith: '\DismHost.exe' + ParentCommandLine|contains|all: + - '/online' + - '/Disable-Feature' + - '/FeatureName:' + - '/Remove' + #/NoRestart + #/quiet + selection_dism: + Image|endswith: '\Dism.exe' + CommandLine|contains|all: + - '/online' + - '/Disable-Feature' + - '/FeatureName:' + - '/Remove' + #/NoRestart + #/quiet + condition: 1 of selection_* +falsepositives: + - Legitim script +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_msiexec_execute_dll.yml b/rules/windows/process_creation/win_pc_msiexec_execute_dll.yml new file mode 100644 index 000000000..6c82e64d1 --- /dev/null +++ b/rules/windows/process_creation/win_pc_msiexec_execute_dll.yml @@ -0,0 +1,27 @@ +title: Suspisious Msiexec Execute Arbitrary DLL +id: 6f4191bb-912b-48a8-9ce7-682769541e6d +status: experimental +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +author: frack113 +date: 2022/01/16 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\msiexec.exe' + CommandLine|contains|all: + - ' /y' + #- '.dll' + condition: selection +falsepositives: + - Legitim script +level: medium +tags: + - attack.defense_evasion + - attack.t1218.007 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_msiexec_install_quiet.yml b/rules/windows/process_creation/win_pc_msiexec_install_quiet.yml new file mode 100644 index 000000000..704e600df --- /dev/null +++ b/rules/windows/process_creation/win_pc_msiexec_install_quiet.yml @@ -0,0 +1,27 @@ +title: Suspisious Msiexec Quiet Install +id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5 +status: experimental +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +author: frack113 +date: 2022/01/16 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\msiexec.exe' + CommandLine|contains|all: + - ' /i' + - ' /q' + condition: selection +falsepositives: + - Legitim script +level: low +tags: + - attack.defense_evasion + - attack.t1218.007 \ No newline at end of file diff --git a/rules/windows/registry_event/win_re_disable_administrative_share.yml b/rules/windows/registry_event/win_re_disable_administrative_share.yml new file mode 100644 index 000000000..dee117f0e --- /dev/null +++ b/rules/windows/registry_event/win_re_disable_administrative_share.yml @@ -0,0 +1,26 @@ +title: Disable Administrative Share Creation at Startup +id: +description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system +author: frack113 +date: 2022/01/16 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + TargetObject|startswith: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ + TargetObject|endswith: + - AutoShareWks + - AutoShareServer + Details: DWORD (0x00000000) + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1070.005 From 7b3d2d4313b5615edd9000b7dfd5a531eee2c0bf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 16 Jan 2022 15:12:50 +0100 Subject: [PATCH 31/90] Fix space --- rules/windows/process_creation/win_pc_dsim_remove.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_dsim_remove.yml b/rules/windows/process_creation/win_pc_dsim_remove.yml index 0f297399c..fef0d5ff6 100644 --- a/rules/windows/process_creation/win_pc_dsim_remove.yml +++ b/rules/windows/process_creation/win_pc_dsim_remove.yml @@ -1,7 +1,7 @@ title: Dism Remove Online Package id: 43e32da2-fdd0-4156-90de-50dfd62636f9 status: experimental -description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images author: frack113 date: 2022/01/16 references: From 2ef4b1a712486cdecfa757cbf30e7d61c6b0df99 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 16 Jan 2022 15:24:44 +0100 Subject: [PATCH 32/90] fix empty id --- .../registry_event/win_re_disable_administrative_share.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/win_re_disable_administrative_share.yml b/rules/windows/registry_event/win_re_disable_administrative_share.yml index dee117f0e..3a0ad3943 100644 --- a/rules/windows/registry_event/win_re_disable_administrative_share.yml +++ b/rules/windows/registry_event/win_re_disable_administrative_share.yml @@ -1,5 +1,5 @@ title: Disable Administrative Share Creation at Startup -id: +id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system author: frack113 date: 2022/01/16 From be224a6f37a243b30e0eade1a0c0814dfbb6f297 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 16 Jan 2022 17:40:50 +0100 Subject: [PATCH 33/90] rule: new rules covering admin share activity --- ...tstrike_getsystem_service_installation.yml | 3 ++- ..._creation_susp_redir_local_admin_share.yml | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 rules/windows/process_creation/process_creation_susp_redir_local_admin_share.yml diff --git a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index e37714662..0db624db0 100644 --- a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -4,7 +4,7 @@ description: Detects the use of getsystem Meterpreter/Cobalt Strike command by d status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2021/11/30 +modified: 2022/01/16 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -44,6 +44,7 @@ detection: - 'rundll32' - '.dll,a' - '/p:' + - ImagePath|beginswith: '\\127.0.0.1\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en condition: selection_id and selection fields: - ComputerName diff --git a/rules/windows/process_creation/process_creation_susp_redir_local_admin_share.yml b/rules/windows/process_creation/process_creation_susp_redir_local_admin_share.yml new file mode 100644 index 000000000..58c225a5f --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_redir_local_admin_share.yml @@ -0,0 +1,20 @@ +title: Suspicious Redirection to Local Admin Share +id: ab9e3b40-0c85-4ba1-aede-455d226fd124 +status: experimental +description: Detects a suspicious output redirection to the local admins share as often found in malicious scripts or hacktool stagers +author: Florian Roth +date: 2022/01/16 +references: + - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '> \\127.0.0.1\admin$' + - '> \\localhost\admin$' + condition: selection +falsepositives: + - unknown +level: high From a3a9e2add890c64f5a3fb70b673458c20e2f4203 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 16 Jan 2022 17:43:55 +0100 Subject: [PATCH 34/90] fix: wrong modifier --- ...terpreter_or_cobaltstrike_getsystem_service_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 0db624db0..911ecf135 100644 --- a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -44,7 +44,7 @@ detection: - 'rundll32' - '.dll,a' - '/p:' - - ImagePath|beginswith: '\\127.0.0.1\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en + - ImagePath|startswith: '\\127.0.0.1\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en condition: selection_id and selection fields: - ComputerName From 82e7ce779973023ec89f31df7abba26fecc829d7 Mon Sep 17 00:00:00 2001 From: Tom Maier Date: Mon, 17 Jan 2022 10:36:09 +0100 Subject: [PATCH 35/90] Adjust case sensitivity of Provider_Name field --- .../builtin/security/win_user_added_to_local_administrators.yml | 2 +- rules/windows/builtin/security/win_user_creation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml index 56f6374f0..d5941fe2e 100644 --- a/rules/windows/builtin/security/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml @@ -16,7 +16,7 @@ logsource: service: security detection: selection: - provider_Name: Microsoft-Windows-Security-Auditing + Provider_Name: Microsoft-Windows-Security-Auditing EventID: 4732 selection_group1: TargetUserName|startswith: 'Administr' diff --git a/rules/windows/builtin/security/win_user_creation.yml b/rules/windows/builtin/security/win_user_creation.yml index 9a6bfb0c4..384e17516 100644 --- a/rules/windows/builtin/security/win_user_creation.yml +++ b/rules/windows/builtin/security/win_user_creation.yml @@ -12,7 +12,7 @@ logsource: service: security detection: selection: - provider_Name: Microsoft-Windows-Security-Auditing + Provider_Name: Microsoft-Windows-Security-Auditing EventID: 4720 condition: selection fields: From 2cd464e77ca2afe12b568fe2bccdff82baf1751f Mon Sep 17 00:00:00 2001 From: Tom Maier Date: Mon, 17 Jan 2022 14:18:33 +0100 Subject: [PATCH 36/90] Adjusted modified field to current date --- .../builtin/security/win_user_added_to_local_administrators.yml | 2 +- rules/windows/builtin/security/win_user_creation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml index d5941fe2e..210553bf3 100644 --- a/rules/windows/builtin/security/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml @@ -5,7 +5,7 @@ description: This rule triggers on user accounts that are added to the local Adm status: stable author: Florian Roth date: 2017/03/14 -modified: 2021/11/30 +modified: 2021/01/17 tags: - attack.privilege_escalation - attack.t1078 diff --git a/rules/windows/builtin/security/win_user_creation.yml b/rules/windows/builtin/security/win_user_creation.yml index 384e17516..69521c42f 100644 --- a/rules/windows/builtin/security/win_user_creation.yml +++ b/rules/windows/builtin/security/win_user_creation.yml @@ -6,7 +6,7 @@ author: Patrick Bareiss references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ date: 2019/04/18 -modified: 2021/11/30 +modified: 2021/01/17 logsource: product: windows service: security From a0983a36596c0f347f1435f190801130348fbfa4 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 18 Jan 2022 19:55:00 +0000 Subject: [PATCH 37/90] Allow dsac to perform powershell execution over named pipes. DSAC - Active Directory Admin Client --- .../pipe_created/sysmon_alternate_powershell_hosts_pipe.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index d36011ef3..e74a679e8 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -2,11 +2,11 @@ title: Alternate PowerShell Hosts Pipe id: 58cb02d5-78ce-4692-b3e1-dce850aae41a status: test description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe -author: Roberto Rodriguez @Cyb3rWard0g +author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2021/12/17 +modified: 2022/01/18 logsource: product: windows category: pipe_created @@ -19,6 +19,7 @@ detection: - '\powershell_ise.exe' - '\WINDOWS\System32\sdiagnhost.exe' - '\WINDOWS\System32\wsmprovhost.exe' + - '\Windows\system32\dsac.exe' filter2: Image: null condition: selection and not 1 of filter* From ec51cf66980961dcd4dd9f171a72248c0dce866d Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 18 Jan 2022 22:20:55 +0000 Subject: [PATCH 38/90] Allow wmi service to also perform, since winrm is being allowed --- .../pipe_created/sysmon_alternate_powershell_hosts_pipe.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index e74a679e8..ff42393e8 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -20,6 +20,7 @@ detection: - '\WINDOWS\System32\sdiagnhost.exe' - '\WINDOWS\System32\wsmprovhost.exe' - '\Windows\system32\dsac.exe' + - '\Windows\system32\wbem\wmiprvse.exe' filter2: Image: null condition: selection and not 1 of filter* From dc1e150a4696a5d9215c6b3c262d160ddb0c1234 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 18 Jan 2022 23:55:04 +0000 Subject: [PATCH 39/90] adding support for mssql sqlps.exe --- .../pipe_created/sysmon_alternate_powershell_hosts_pipe.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index ff42393e8..a0439a274 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -21,6 +21,7 @@ detection: - '\WINDOWS\System32\wsmprovhost.exe' - '\Windows\system32\dsac.exe' - '\Windows\system32\wbem\wmiprvse.exe' + - '\Tools\Binn\SQLPS.exe' # Microsoft SQL Server\130\Tools\ filter2: Image: null condition: selection and not 1 of filter* From d7de27ca3cd20c899cb35997670b14647f583bdb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 19 Jan 2022 13:21:19 +0100 Subject: [PATCH 40/90] rule: extended Defender exclusions rule --- .../process_creation/win_powershell_defender_exclusion.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_defender_exclusion.yml b/rules/windows/process_creation/win_powershell_defender_exclusion.yml index cb815be74..a4878832d 100644 --- a/rules/windows/process_creation/win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/win_powershell_defender_exclusion.yml @@ -5,18 +5,21 @@ description: Detects requests to exclude files, folders or processes from Antivi references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 tags: - attack.defense_evasion - attack.t1562.001 author: Florian Roth date: 2021/04/29 -modified: 2021/07/12 +modified: 2022/01/19 logsource: category: process_creation product: windows detection: selection1: - CommandLine|contains: 'Add-MpPreference ' + CommandLine|contains: + - 'Add-MpPreference ' + - 'Set-MpPreference ' selection2: CommandLine|contains: - ' -ExclusionPath ' From 2a118e900a3d549e04d7047d8541b6dfc00c5d38 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 19 Jan 2022 15:21:50 +0100 Subject: [PATCH 41/90] refactor: added requirement, debug output for MITRE ATTCK eval --- tests/test_rules.py | 5 ++++- tools/setup.py | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index b83726cee..43afe5767 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -756,7 +756,10 @@ def get_mitre_data(): for r in g.external_references: if 'external_id' in r: MITRE_GROUPS.append(r['external_id'].lower()) - + + # Debugging + print("MITRE ATT&CK LIST LENGTHS: %d " % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) + # Combine all IDs to a big tag list return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS] diff --git a/tools/setup.py b/tools/setup.py index 239d18be7..745d8b58b 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -45,7 +45,7 @@ setup( python_requires='~=3.8', install_requires=['PyYAML', 'pymisp', 'progressbar2', 'ruamel.yaml'], extras_require={ - 'test': ['coverage', 'yamllint'], + 'test': ['coverage', 'yamllint', 'attackcti'], }, data_files=[ ('etc/sigma', [ str(p) for p in Path('config/').glob('*.yml') ]), From 49502f3796451b0cce69e1e7c0ef186742ad6f45 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 19 Jan 2022 15:24:24 +0100 Subject: [PATCH 42/90] fix: wrong number of placeholders --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 43afe5767..0133f0b53 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -758,7 +758,7 @@ def get_mitre_data(): MITRE_GROUPS.append(r['external_id'].lower()) # Debugging - print("MITRE ATT&CK LIST LENGTHS: %d " % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) + print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) # Combine all IDs to a big tag list return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS] From 37243f590227bf2891589616b8fee836074b8547 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 19 Jan 2022 14:49:00 +0000 Subject: [PATCH 43/90] Updating formatting for more accurate mssql sqlps.exe detection --- .../sysmon_alternate_powershell_hosts_pipe.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index a0439a274..65547337e 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2022/01/18 +modified: 2022/01/19 logsource: product: windows category: pipe_created @@ -21,9 +21,13 @@ detection: - '\WINDOWS\System32\wsmprovhost.exe' - '\Windows\system32\dsac.exe' - '\Windows\system32\wbem\wmiprvse.exe' - - '\Tools\Binn\SQLPS.exe' # Microsoft SQL Server\130\Tools\ filter2: Image: null + filter3: # Microsoft SQL Server\130\Tools\ + Image|contains|all: + - ':\Program Files' + - '\Microsoft SQL Server\' + Image|endswith: '\Tools\Binn\SQLPS.exe' condition: selection and not 1 of filter* fields: - ComputerName From 4631d0c4829e8af427818a2499dbdbdeb433149d Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 19 Jan 2022 18:23:30 +0100 Subject: [PATCH 44/90] remove invalid tag --- rules/apt/apt_silence_downloader_v3.yml | 1 - rules/apt/apt_silence_eda.yml | 2 -- .../aws/aws_cloudtrail_disable_logging.yml | 1 - .../aws/aws_config_disable_recording.yml | 1 - .../aws/aws_ec2_startup_script_change.yml | 3 --- rules/cloud/aws/aws_guardduty_disruption.yml | 1 - rules/cloud/aws/aws_root_account_usage.yml | 1 - .../auditd/lnx_auditd_alter_bash_profile.yml | 1 - .../lnx_auditd_auditing_config_change.yml | 1 - .../auditd/lnx_auditd_create_account.yml | 1 - .../lnx_auditd_logging_config_change.yml | 1 - .../linux/builtin/lnx_sudo_cve_2019_14287.yml | 1 - .../builtin/lnx_sudo_cve_2019_14287_user.yml | 1 - .../process_creation/macos_create_account.yml | 1 - .../lnx_security_tools_disabling_syslog.yml | 1 - .../lnx_security_tools_disabling.yml | 1 - .../lnx_webshell_detection.yml | 1 - .../cisco/aaa/cisco_cli_clear_logs.yml | 1 - .../cisco/aaa/cisco_cli_collect_data.yml | 3 --- .../cisco/aaa/cisco_cli_crypto_actions.yml | 2 -- .../cisco/aaa/cisco_cli_disable_logging.yml | 1 - rules/network/cisco/aaa/cisco_cli_dos.yml | 1 - .../cisco/aaa/cisco_cli_file_deletion.yml | 3 --- .../cisco/aaa/cisco_cli_input_capture.yml | 1 - .../cisco/aaa/cisco_cli_local_accounts.yml | 1 - .../cisco/aaa/cisco_cli_modify_config.yml | 2 -- .../cisco/aaa/cisco_cli_moving_data.yml | 1 - rules/network/net_dns_c2_detection.yml | 2 -- .../net_firewall_high_dns_bytes_out.yml | 1 - .../net_firewall_high_dns_requests_rate.yml | 2 -- rules/network/net_high_dns_bytes_out.yml | 1 - rules/network/net_high_dns_requests_rate.yml | 2 -- .../net_high_null_records_requests_rate.yml | 2 -- .../net_high_txt_records_requests_rate.yml | 2 -- rules/network/net_mal_dns_cobaltstrike.yml | 1 - rules/network/net_susp_dns_b64_queries.yml | 2 -- .../network/net_susp_dns_txt_exec_strings.yml | 1 - rules/network/net_susp_telegram_api.yml | 1 - .../zeek_dce_rpc_domain_user_enumeration.yml | 1 - .../zeek_dce_rpc_mitre_bzar_execution.yml | 2 -- .../zeek_dce_rpc_mitre_bzar_persistence.yml | 1 - rules/network/zeek/zeek_dns_mining_pools.yml | 1 - .../zeek/zeek_dns_suspicious_zbit_flag.yml | 3 +-- .../network/zeek/zeek_rdp_public_listener.yml | 1 - .../zeek_smb_converted_win_atsvc_task.yml | 1 - ..._smb_converted_win_impacket_secretdump.yml | 1 - .../zeek_smb_converted_win_lm_namedpipe.yml | 1 - .../zeek_smb_converted_win_susp_psexec.yml | 1 - ...ransferring_files_with_credential_data.yml | 1 - rules/network/zeek/zeek_susp_kerberos_rc4.yml | 1 - rules/proxy/proxy_apt40.yml | 2 -- rules/proxy/proxy_chafer_malware.yml | 1 - rules/proxy/proxy_cobalt_amazon.yml | 2 +- rules/proxy/proxy_cobalt_malformed_uas.yml | 1 - rules/proxy/proxy_cobalt_ocsp.yml | 1 - rules/proxy/proxy_cobalt_onedrive.yml | 1 - .../proxy_download_susp_tlds_blacklist.yml | 1 - .../proxy_download_susp_tlds_whitelist.yml | 1 - rules/proxy/proxy_downloadcradle_webdav.yml | 1 - rules/proxy/proxy_empire_ua_uri_combos.yml | 1 - rules/proxy/proxy_ios_implant.yml | 1 - rules/proxy/proxy_pwndrop.yml | 2 -- .../proxy/proxy_raw_paste_service_access.yml | 2 -- rules/proxy/proxy_susp_flash_download_loc.yml | 2 -- rules/proxy/proxy_telegram_api.yml | 2 -- rules/proxy/proxy_turla_comrat.yml | 1 - rules/proxy/proxy_ursnif_malware_c2_url.yml | 2 -- rules/web/web_apache_segfault.yml | 1 - .../web_cve_2018_2894_weblogic_exploit.yml | 1 - .../web_cve_2020_14882_weblogic_exploit.yml | 1 - rules/web/web_cve_2020_3452_cisco_asa_ftd.yml | 1 - rules/web/web_webshell_keyword.yml | 1 - rules/web/win_powershell_snapins_hafnium.yml | 1 - rules/web/win_webshell_regeorg.yml | 1 - .../application/win_susp_backup_delete.yml | 1 - .../application/win_susp_msmpeng_crash.yml | 1 - .../security/win_account_discovery.yml | 1 - .../win_ad_object_writedac_access.yml | 1 - ...win_ad_replication_non_machine_account.yml | 1 - .../security/win_ad_user_enumeration.yml | 1 - .../builtin/security/win_admin_rdp_login.yml | 1 - .../security/win_admin_share_access.yml | 1 - .../win_alert_enable_weak_encryption.yml | 1 - .../builtin/security/win_alert_ruler.yml | 1 - .../win_apt_chafer_mar18_security.yml | 3 --- .../builtin/security/win_apt_wocao.yml | 3 --- ...ary_shell_execution_via_settingcontent.yml | 1 - .../builtin/security/win_atsvc_task.yml | 1 - rules/windows/builtin/security/win_dcsync.yml | 1 - .../builtin/security/win_defender_bypass.yml | 1 - .../security/win_disable_event_logging.yml | 1 - .../win_dpapi_domain_backupkey_extraction.yml | 1 - ..._dpapi_domain_masterkey_backup_attempt.yml | 1 - .../security/win_event_log_cleared.yml | 1 - .../win_global_catalog_enumeration.yml | 1 - .../security/win_gpo_scheduledtasks.yml | 1 - .../security/win_impacket_secretdump.yml | 1 - .../builtin/security/win_lm_namedpipe.yml | 1 - .../win_lsass_access_non_system_account.yml | 1 - .../win_metasploit_authentication.yml | 1 - .../security/win_net_ntlm_downgrade.yml | 1 - .../win_net_share_obj_susp_desktop_ini.yml | 1 - .../security/win_not_allowed_rdp_access.yml | 1 - .../security/win_overpass_the_hash.yml | 1 - .../builtin/security/win_pass_the_hash.yml | 1 - .../builtin/security/win_pass_the_hash_2.yml | 1 - .../win_protected_storage_service_access.yml | 1 - .../security/win_rare_schtasks_creations.yml | 1 - .../security/win_rdp_localhost_login.yml | 1 - .../security/win_rdp_reverse_tunnel.yml | 2 -- ...n_register_new_logon_process_by_rubeus.yml | 1 - .../win_remote_powershell_session.yml | 1 - .../security/win_scheduled_task_deletion.yml | 1 - .../security/win_security_mal_creddumper.yml | 2 -- .../win_security_mal_service_installs.yml | 2 -- ...cobaltstrike_getsystem_service_install.yml | 1 - .../security/win_security_wmi_persistence.yml | 1 - .../security/win_susp_add_sid_history.yml | 1 - .../win_susp_codeintegrity_check_failure.yml | 1 - .../security/win_susp_eventlog_cleared.yml | 1 - .../security/win_susp_ldap_dataexchange.yml | 1 - .../win_susp_local_anon_logon_created.yml | 1 - .../builtin/security/win_susp_lsass_dump.yml | 1 - .../security/win_susp_lsass_dump_generic.yml | 1 - .../security/win_susp_net_recon_activity.yml | 2 -- .../builtin/security/win_susp_psexec.yml | 1 - .../security/win_susp_rc4_kerberos.yml | 1 - .../security/win_susp_rottenpotato.yml | 1 - .../builtin/security/win_susp_sdelete.yml | 2 -- .../security/win_susp_time_modification.yml | 1 - ...uspicious_outbound_kerberos_connection.yml | 1 - .../security/win_svcctl_remote_service.yml | 1 - ...ith_credential_data_via_network_shares.yml | 1 - ...ileged_service_lsaregisterlogonprocess.yml | 1 - .../builtin/security/win_user_creation.yml | 1 - .../security/win_user_driver_loaded.yml | 1 - .../system/win_apt_carbonpaper_turla.yml | 1 - .../system/win_apt_chafer_mar18_system.yml | 3 --- .../builtin/system/win_apt_stonedrill.yml | 1 - .../system/win_apt_turla_service_png.yml | 1 - .../builtin/system/win_hack_smbexec.yml | 2 -- .../builtin/system/win_mal_creddumper.yml | 2 -- ...tstrike_getsystem_service_installation.yml | 1 - ...rkspwdump_clearing_hive_access_history.yml | 1 - .../system/win_rare_service_installs.yml | 1 - .../builtin/system/win_susp_dhcp_config.yml | 1 - .../system/win_susp_dhcp_config_failed.yml | 1 - .../builtin/system/win_susp_sam_dump.yml | 1 - .../system/win_system_defender_disabled.yml | 1 - .../win_system_susp_eventlog_cleared.yml | 1 - .../builtin/system/win_tool_psexec.yml | 1 - .../builtin/win_alert_mimikatz_keywords.yml | 1 - .../sysmon_cactustorch.yml | 2 -- .../sysmon_cobaltstrike_process_injection.yml | 1 - .../sysmon_createremotethread_loadlibrary.yml | 1 - .../sysmon_password_dumper_lsass.yml | 1 - .../sysmon_susp_powershell_rundll32.yml | 2 -- .../sysmon_ads_executable.yml | 1 - .../powershell_suspicious_download.yml | 1 - ...wershell_suspicious_invocation_generic.yml | 1 - ...ershell_suspicious_invocation_specific.yml | 1 - .../dns_query/dns_net_mal_cobaltstrike.yml | 1 - .../dns_query_regsvr32_network_activity.yml | 2 -- .../driver_load_mal_creddumper.yml | 2 -- ...tstrike_getsystem_service_installation.yml | 1 - .../driver_load/driver_load_susp_temp_use.yml | 1 - .../file_event_apt_unidentified_nov_18.yml | 1 - .../file_event/file_event_hack_dumpert.yml | 1 - .../file_event_hktl_createminidump.yml | 1 - .../file_event/file_event_lsass_dump.yml | 1 - .../file_event/file_event_mal_adwind.yml | 1 - .../file_event/file_event_tool_psexec.yml | 1 - .../sysmon_creation_system_file.yml | 1 - .../sysmon_cred_dump_tools_dropped_files.yml | 1 - .../sysmon_ghostpack_safetykatz.yml | 1 - ...sysmon_lsass_memory_dump_file_creation.yml | 1 - .../file_event/sysmon_office_persistence.yml | 1 - .../sysmon_powershell_exploit_scripts.yml | 1 - .../file_event/sysmon_quarkspw_filedump.yml | 1 - .../sysmon_susp_adsi_cache_usage.yml | 1 - .../file_event/sysmon_susp_desktop_ini.yml | 1 - ...cexplorer_driver_created_in_tmp_folder.yml | 1 - .../sysmon_webshell_creation_detect.yml | 1 - ...ersistence_script_event_consumer_write.yml | 1 - .../sysmon_abusing_azure_browser_sso.yml | 1 - .../sysmon_in_memory_powershell.yml | 1 - .../image_load/sysmon_susp_fax_dll.yml | 2 -- .../image_load/sysmon_susp_image_load.yml | 1 - ...n_susp_office_dotnet_assembly_dll_load.yml | 1 - ...sysmon_susp_office_dotnet_clr_dll_load.yml | 1 - ...sysmon_susp_office_dotnet_gac_dll_load.yml | 1 - .../sysmon_susp_office_dsparse_dll_load.yml | 1 - .../sysmon_susp_office_kerberos_dll_load.yml | 1 - .../sysmon_susp_winword_vbadll_load.yml | 1 - ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 1 - ...sysmon_svchost_dll_search_order_hijack.yml | 2 -- ...ysmon_unsigned_image_loaded_into_lsass.yml | 1 - ...persistence_commandline_event_consumer.yml | 1 - rules/windows/malware/av_webshell.yml | 1 - .../sysmon_dllhost_net_connections.yml | 1 - .../sysmon_malware_backconnect_ports.yml | 1 - .../sysmon_powershell_network_connection.yml | 1 - .../sysmon_rdp_reverse_tunnel.yml | 1 - .../sysmon_regsvr32_network_activity.yml | 14 +++++------ ...smon_remote_powershell_session_network.yml | 2 -- .../sysmon_rundll32_net_connections.yml | 1 - .../network_connection/sysmon_susp_rdp.yml | 1 - ...uspicious_outbound_kerberos_connection.yml | 2 -- .../sysmon_win_binary_github_com.yml | 1 - ..._applocker_file_was_not_allowed_to_run.yml | 4 --- .../other/dns_server/win_susp_dns_config.yml | 1 - .../windows/other/ntlm/win_susp_ntlm_auth.yml | 1 - .../win_rare_schtask_creation.yml | 1 - .../windefend/win_alert_lsass_access.yml | 1 - .../other/windefend/win_defender_disabled.yml | 1 - .../windefend/win_defender_exclusions.yml | 1 - .../windefend/win_defender_psexec_wmi_asr.yml | 1 - ...win_defender_tamper_protection_trigger.yml | 1 - .../windows/other/wmi/win_wmi_persistence.yml | 1 - .../pipe_created/pipe_created_tool_psexec.yml | 1 - ...sysmon_alternate_powershell_hosts_pipe.yml | 1 - .../sysmon_cred_dump_tools_named_pipes.yml | 1 - .../posh_pc_alternate_powershell_hosts.yml | 1 - .../posh_pc_downgrade_attack.yml | 1 - .../posh_pc_exe_calling_ps.yml | 1 - .../posh_pc_remote_powershell_session.yml | 2 -- .../posh_pc_renamed_powershell.yml | 1 - .../posh_pc_suspicious_download.yml | 1 - .../posh_pc_xor_commandline.yml | 1 - .../posh_pm_alternate_powershell_hosts.yml | 1 - .../posh_pm_bad_opsec_artifacts.yml | 1 - .../posh_pm_clear_powershell_history.yml | 1 - ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 1 - .../posh_pm_remote_powershell_session.yml | 2 -- .../posh_pm_suspicious_download.yml | 1 - .../posh_pm_suspicious_invocation_generic.yml | 1 - ...posh_pm_suspicious_invocation_specific.yml | 1 - .../posh_ps_create_local_user.yml | 4 +-- .../posh_ps_data_compressed.yml | 1 - .../posh_ps_dnscat_execution.yml | 1 - ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 1 - .../posh_ps_malicious_commandlets.yml | 1 - .../posh_ps_malicious_keywords.yml | 1 - .../posh_ps_nishang_malicious_commandlets.yml | 1 - .../posh_ps_ntfs_ads_access.yml | 2 -- .../posh_ps_prompt_credentials.yml | 1 - .../powershell_script/posh_ps_psattack.yml | 1 - .../posh_ps_shellcode_b64.yml | 1 - .../posh_ps_suspicious_download.yml | 1 - .../posh_ps_suspicious_invocation_generic.yml | 1 - ...posh_ps_suspicious_invocation_specific.yml | 1 - .../posh_ps_suspicious_keywords.yml | 1 - .../powershell_script/posh_ps_web_request.yml | 1 - .../posh_ps_winlogon_helper_dll.yml | 3 +-- .../powershell_script/posh_ps_wmimplant.yml | 1 - .../sysmon_cmstp_execution_by_access.yml | 2 -- .../sysmon_cred_dump_lsass_access.yml | 1 - .../sysmon_in_memory_assembly_execution.yml | 1 - .../process_access/sysmon_invoke_phantom.yml | 1 - .../process_access/sysmon_lsass_memdump.yml | 1 - .../sysmon_mimikatz_trough_winrm.yml | 3 --- .../win_susp_proc_access_lsass.yml | 1 - ...win_susp_proc_access_lsass_susp_source.yml | 1 - ...s_creation_apt_turla_commands_critical.yml | 1 - ...ess_creation_apt_turla_commands_medium.yml | 1 - .../process_creation_apt_wocao.yml | 3 --- ...cess_creation_dns_serverlevelplugindll.yml | 1 - .../process_creation_hack_dumpert.yml | 1 - ...ocess_creation_stickykey_like_backdoor.yml | 1 - .../process_creation_susp_web_request_cmd.yml | 1 - ...ss_creation_sysmon_uac_bypass_eventvwr.yml | 1 - .../process_creation_tool_psexec.yml | 2 -- .../sysmon_apt_muddywater_dnstunnel.yml | 1 - .../sysmon_cmstp_execution_by_creation.yml | 1 - .../process_creation/sysmon_hack_wce.yml | 1 - ...on_scripts_userinitmprlogonscript_proc.yml | 1 - .../wim_pc_apt_chafer_mar18.yml | 3 --- .../win_apt_apt29_thinktanks.yml | 2 -- .../process_creation/win_apt_babyshark.yml | 4 --- .../win_apt_bear_activity_gtr19.yml | 2 -- .../process_creation/win_apt_bluemashroom.yml | 1 - .../process_creation/win_apt_cloudhopper.yml | 1 - .../process_creation/win_apt_elise.yml | 1 - .../win_apt_emissarypanda_sep19.yml | 1 - .../process_creation/win_apt_empiremonkey.yml | 1 - .../win_apt_equationgroup_dll_u_load.yml | 1 - .../win_apt_evilnum_jul20.yml | 1 - .../win_apt_greenbug_may20.yml | 2 -- .../win_apt_judgement_panda_gtr19.yml | 2 -- .../win_apt_ke3chang_regadd.yml | 1 - .../win_apt_lazarus_session_highjack.yml | 1 - .../process_creation/win_apt_sofacy.yml | 2 -- .../process_creation/win_apt_ta17_293a_ps.yml | 1 - .../process_creation/win_apt_taidoor.yml | 1 - .../win_apt_tropictrooper.yml | 1 - .../win_apt_turla_comrat_may20.yml | 2 -- .../win_apt_unidentified_nov_18.yml | 1 - .../win_apt_winnti_mal_hk_jan20.yml | 1 - .../win_apt_winnti_pipemon.yml | 1 - .../process_creation/win_apt_zxshell.yml | 2 -- .../win_attrib_hiding_files.yml | 1 - .../win_bad_opsec_sacrificial_processes.yml | 1 - .../win_bypass_squiblytwo.yml | 1 - .../win_change_default_file_association.yml | 1 - .../process_creation/win_cmdkey_recon.yml | 1 - .../win_cmstp_com_object_access.yml | 2 -- .../win_commandline_path_traversal.yml | 1 - .../win_control_panel_item.yml | 1 - ...g_sensitive_files_with_credential_data.yml | 1 - ..._credential_access_via_password_filter.yml | 1 - .../process_creation/win_crime_fireball.yml | 1 - .../win_crime_maze_ransomware.yml | 1 - .../win_data_compressed_with_rar.yml | 2 -- .../win_dns_exfiltration_tools_execution.yml | 3 --- .../win_encoded_frombase64string.yml | 1 - .../process_creation/win_encoded_iex.yml | 1 - ...ltration_and_tunneling_tools_execution.yml | 1 - .../win_exploit_cve_2015_1641.yml | 1 - .../win_exploit_cve_2017_0261.yml | 2 -- .../win_exploit_cve_2017_11882.yml | 2 -- .../win_exploit_cve_2017_8759.yml | 2 -- .../win_exploit_cve_2019_1378.yml | 1 - .../win_exploit_cve_2020_10189.yml | 2 -- .../win_exploit_cve_2020_1048.yml | 1 - .../win_file_permission_modifications.yml | 3 +-- .../win_grabbing_sensitive_hives_via_reg.yml | 1 - .../process_creation/win_hack_bloodhound.yml | 3 --- .../process_creation/win_hack_koadic.yml | 4 +-- .../process_creation/win_hack_rubeus.yml | 2 -- .../win_hack_secutyxploded.yml | 2 -- rules/windows/process_creation/win_hh_chm.yml | 4 +-- .../win_hiding_malware_in_fonts_folder.yml | 1 - .../win_hktl_createminidump.yml | 1 - .../process_creation/win_html_help_spawn.yml | 1 - .../process_creation/win_hwp_exploits.yml | 2 -- .../win_impacket_lateralization.yml | 2 -- .../win_install_reg_debugger_backdoor.yml | 1 - .../process_creation/win_interactive_at.yml | 1 - ...obfuscation_obfuscated_iex_commandline.yml | 1 - .../process_creation/win_lethalhta.yml | 2 -- ...n_local_system_owner_account_discovery.yml | 1 - .../win_lolbas_execution_of_wuauclt.yml | 1 - .../process_creation/win_lsass_dump.yml | 1 - .../process_creation/win_mal_adwind.yml | 1 - .../process_creation/win_malware_emotet.yml | 1 - .../process_creation/win_malware_notpetya.yml | 4 --- .../process_creation/win_malware_qbot.yml | 2 -- .../process_creation/win_malware_ryuk.yml | 1 - .../win_malware_script_dropper.yml | 2 -- .../process_creation/win_malware_wannacry.yml | 1 - .../win_mavinject_proc_inj.yml | 1 - ...r_cobaltstrike_getsystem_service_start.yml | 1 - .../win_mimikatz_command_line.yml | 1 - .../win_mmc20_lateral_movement.yml | 1 - .../process_creation/win_mmc_spawn_shell.yml | 1 - ..._modif_of_services_for_via_commandline.yml | 2 -- .../process_creation/win_mshta_javascript.yml | 1 - .../win_mshta_spawn_shell.yml | 1 - .../process_creation/win_net_user_add.yml | 1 - .../win_netsh_allow_port_rdp.yml | 1 - .../process_creation/win_netsh_fw_add.yml | 1 - .../win_netsh_fw_add_susp_image.yml | 1 - .../win_new_service_creation.yml | 1 - .../win_non_interactive_powershell.yml | 1 - .../process_creation/win_office_shell.yml | 1 - ..._office_spawn_exe_from_users_directory.yml | 1 - .../win_plugx_susp_exe_locations.yml | 1 - .../win_possible_applocker_bypass.yml | 4 --- ...ation_via_service_registry_permissions.yml | 1 - .../win_powershell_amsi_bypass.yml | 1 - .../win_powershell_disable_windef_av.yml | 1 - .../win_powershell_dll_execution.yml | 1 - .../win_powershell_downgrade_attack.yml | 1 - .../win_powershell_download.yml | 1 - ...in_powershell_reverse_shell_connection.yml | 1 - ...ershell_suspicious_parameter_variation.yml | 1 - .../win_powershell_xor_commandline.yml | 1 - .../win_powersploit_empire_schtasks.yml | 2 -- .../win_proc_wrong_parent.yml | 1 - .../win_process_dump_rundll32_comsvcs.yml | 1 - .../process_creation/win_psexesvc_start.yml | 1 - .../win_redmimicry_winnti_proc.yml | 1 - .../win_remote_powershell_session_process.yml | 1 - .../process_creation/win_renamed_binary.yml | 1 - .../win_renamed_binary_highly_relevant.yml | 1 - .../process_creation/win_renamed_jusched.yml | 1 - .../process_creation/win_renamed_paexec.yml | 1 - .../win_renamed_powershell.yml | 1 - .../process_creation/win_renamed_procdump.yml | 1 - .../process_creation/win_renamed_psexec.yml | 1 - .../win_run_powershell_script_from_ads.yml | 1 - .../win_sdbinst_shim_persistence.yml | 1 - .../win_service_execution.yml | 1 - .../win_shadow_copies_access_symlink.yml | 1 - .../win_shell_spawn_mshta.yml | 1 - .../win_shell_spawn_susp_program.yml | 1 - .../windows/process_creation/win_spn_enum.yml | 1 - ...uthenticated_privileged_console_access.yml | 1 - .../process_creation/win_susp_bcdedit.yml | 1 - .../win_susp_child_process_as_system_.yml | 1 - .../win_susp_compression_params.yml | 3 --- .../win_susp_comsvcs_procdump.yml | 1 - .../win_susp_control_dll_load.yml | 1 - .../win_susp_copy_lateral_movement.yml | 1 - .../process_creation/win_susp_covenant.yml | 3 +-- .../win_susp_crackmapexec_execution.yml | 1 - ...sp_crackmapexec_powershell_obfuscation.yml | 2 -- .../windows/process_creation/win_susp_csc.yml | 1 - .../process_creation/win_susp_csc_folder.yml | 1 - .../win_susp_dctask64_proc_inject.yml | 1 - .../win_susp_devtoolslauncher.yml | 3 +-- ...susp_direct_asep_reg_keys_modification.yml | 1 - .../win_susp_disable_ie_features.yml | 1 - .../process_creation/win_susp_ditsnap.yml | 1 - .../windows/process_creation/win_susp_dnx.yml | 1 - .../win_susp_double_extension.yml | 1 - .../process_creation/win_susp_dxcap.yml | 1 - .../win_susp_eventlog_clear.yml | 1 - .../win_susp_execution_path_webserver.yml | 1 - .../win_susp_file_characteristics.yml | 2 -- .../windows/process_creation/win_susp_gup.yml | 1 - .../win_susp_iss_module_install.yml | 1 - .../process_creation/win_susp_msiexec_cwd.yml | 1 - .../process_creation/win_susp_ntdsutil.yml | 1 - .../process_creation/win_susp_odbcconf.yml | 2 -- .../process_creation/win_susp_openwith.yml | 1 - .../win_susp_outlook_temp.yml | 1 - .../process_creation/win_susp_pcwutl.yml | 2 -- .../win_susp_powershell_empire_launch.yml | 1 - .../win_susp_powershell_empire_uac_bypass.yml | 1 - .../win_susp_powershell_enc_cmd.yml | 1 - .../win_susp_powershell_encoded_param.yml | 1 - .../win_susp_powershell_hidden_b64_cmd.yml | 1 - .../win_susp_powershell_parent_combo.yml | 1 - .../win_susp_powershell_parent_process.yml | 1 - .../win_susp_procdump_lsass.yml | 3 +-- .../process_creation/win_susp_ps_appdata.yml | 1 - .../win_susp_ps_downloadfile.yml | 1 - .../process_creation/win_susp_rar_flags.yml | 2 -- .../win_susp_rasdial_activity.yml | 1 - .../win_susp_recon_activity.yml | 1 - .../win_susp_regsvr32_anomalies.yml | 2 -- .../win_susp_regsvr32_flags_anomaly.yml | 1 - .../win_susp_rundll32_activity.yml | 2 -- .../win_susp_rundll32_by_ordinal.yml | 2 -- .../win_susp_schtask_creation.yml | 1 - .../win_susp_script_execution.yml | 2 +- .../win_susp_service_path_modification.yml | 1 - .../win_susp_shell_spawn_from_mssql.yml | 1 - .../process_creation/win_susp_svchost.yml | 1 - .../win_susp_sysvol_access.yml | 1 - .../win_susp_tscon_rdp_redirect.yml | 1 - .../process_creation/win_susp_winrar_dmp.yml | 10 +++----- .../win_susp_winrar_execution.yml | 2 -- .../win_task_folder_evasion.yml | 2 -- .../process_creation/win_uac_cmstp.yml | 2 -- .../process_creation/win_uac_fodhelper.yml | 1 - .../process_creation/win_uac_wsreset.yml | 1 - .../win_webshell_detection.yml | 2 -- .../win_webshell_recon_detection.yml | 2 -- .../process_creation/win_webshell_spawn.yml | 1 - .../win_win10_sched_task_0day.yml | 1 - ..._wmi_backdoor_exchange_transport_agent.yml | 1 - ..._wmi_persistence_script_event_consumer.yml | 1 - .../win_wmi_spwns_powershell.yml | 10 +++----- .../win_wsreset_uac_bypass.yml | 1 - .../win_xsl_script_processing.yml | 1 - .../registry_event_apt_chafer_mar18.yml | 25 ++++++++----------- .../registry_event_defender_disabled.yml | 1 - .../registry_event_defender_exclusions.yml | 1 - ...egistry_event_dns_serverlevelplugindll.yml | 1 - .../registry_event_mal_adwind.yml | 9 +++---- .../registry_event_net_ntlm_downgrade.yml | 1 - ...registry_event_stickykey_like_backdoor.yml | 15 ++++++----- .../registry_event_uac_bypass_eventvwr.yml | 11 ++++---- .../registry_event/sysmon_apt_leviathan.yml | 7 +++--- .../sysmon_asep_reg_keys_modification.yml | 7 +++--- .../sysmon_cmstp_execution_by_registry.yml | 13 +++++----- .../registry_event/sysmon_dhcp_calloutdll.yml | 1 - ...y_events_logging_adding_reg_key_minint.yml | 1 - .../registry_event/sysmon_hack_wce_reg.yml | 1 - ...gon_scripts_userinitmprlogonscript_reg.yml | 1 - .../sysmon_narrator_feedback_persistance.yml | 1 - ..._dll_added_to_appcertdlls_registry_key.yml | 1 - ...dll_added_to_appinit_dlls_registry_key.yml | 7 +++--- ...ysmon_registry_persistence_key_linking.yml | 7 +++--- ...mon_registry_trust_record_modification.yml | 1 - .../sysmon_ssp_added_lsa_config.yml | 1 - .../sysmon_susp_download_run_key.yml | 1 - .../sysmon_susp_lsass_dll_load.yml | 1 - .../sysmon_susp_reg_persist_explorer_run.yml | 2 -- .../sysmon_susp_run_key_img_folder.yml | 7 +++--- .../sysmon_susp_service_installed.yml | 1 - .../sysmon_uac_bypass_sdclt.yml | 11 ++++---- .../sysmon_win_reg_persistence.yml | 1 - .../sysmon_wmi_event_subscription.yml | 1 - .../wmi_event/sysmon_wmi_susp_scripting.yml | 7 +++--- 497 files changed, 81 insertions(+), 692 deletions(-) diff --git a/rules/apt/apt_silence_downloader_v3.yml b/rules/apt/apt_silence_downloader_v3.yml index faeea86db..0f5fba3e4 100644 --- a/rules/apt/apt_silence_downloader_v3.yml +++ b/rules/apt/apt_silence_downloader_v3.yml @@ -31,7 +31,6 @@ level: high tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one - attack.discovery - attack.t1057 - attack.t1082 diff --git a/rules/apt/apt_silence_eda.yml b/rules/apt/apt_silence_eda.yml index ad8aadcf9..8f4d5ef82 100644 --- a/rules/apt/apt_silence_eda.yml +++ b/rules/apt/apt_silence_eda.yml @@ -32,10 +32,8 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.command_and_control - attack.t1071.004 - - attack.t1071 # an old one - attack.t1572 - attack.impact - attack.t1529 diff --git a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml index 6d3e484db..965007fc9 100644 --- a/rules/cloud/aws/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/aws_cloudtrail_disable_logging.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_config_disable_recording.yml b/rules/cloud/aws/aws_config_disable_recording.yml index 71ff54910..6a0d9e6a3 100644 --- a/rules/cloud/aws/aws_config_disable_recording.yml +++ b/rules/cloud/aws/aws_config_disable_recording.yml @@ -21,4 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_ec2_startup_script_change.yml b/rules/cloud/aws/aws_ec2_startup_script_change.yml index 1e8aa959c..b483c2036 100644 --- a/rules/cloud/aws/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/aws_ec2_startup_script_change.yml @@ -22,8 +22,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.t1059.003 - attack.t1059.004 - - attack.t1059 # an old one - - attack.t1064 # an old one diff --git a/rules/cloud/aws/aws_guardduty_disruption.yml b/rules/cloud/aws/aws_guardduty_disruption.yml index d7500a063..259414a9f 100644 --- a/rules/cloud/aws/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/aws_guardduty_disruption.yml @@ -21,4 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/cloud/aws/aws_root_account_usage.yml b/rules/cloud/aws/aws_root_account_usage.yml index 2306c3222..14bbc35e5 100644 --- a/rules/cloud/aws/aws_root_account_usage.yml +++ b/rules/cloud/aws/aws_root_account_usage.yml @@ -22,4 +22,3 @@ level: medium tags: - attack.privilege_escalation - attack.t1078.004 - - attack.t1078 # an old one diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index 89030ee2d..9bc2d54c2 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -28,6 +28,5 @@ falsepositives: level: medium tags: - attack.s0003 - - attack.t1156 # an old one - attack.persistence - attack.t1546.004 diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 6d2657ca7..71ce7553c 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -28,5 +28,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.006 diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 8d2d96b09..0cc93ec67 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -19,6 +19,5 @@ falsepositives: - Admin activity level: medium tags: - - attack.t1136 # an old one - attack.t1136.001 - attack.persistence diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 018008956..028aac4f9 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.006 diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml index dfaa5a4ef..2b1d7f6cd 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml @@ -14,7 +14,6 @@ logsource: tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 # an old one - attack.t1548.003 - cve.2019.14287 detection: diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml index 96afaf522..160c8094b 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml @@ -18,7 +18,6 @@ logsource: tags: - attack.privilege_escalation - attack.t1068 - - attack.t1169 # an old one - attack.t1548.003 - cve.2019.14287 detection: diff --git a/rules/linux/macos/process_creation/macos_create_account.yml b/rules/linux/macos/process_creation/macos_create_account.yml index b5e7862d9..573af8117 100644 --- a/rules/linux/macos/process_creation/macos_create_account.yml +++ b/rules/linux/macos/process_creation/macos_create_account.yml @@ -21,6 +21,5 @@ falsepositives: - Legitimate administration activities level: low tags: - - attack.t1136 # an old one - attack.t1136.001 - attack.persistence diff --git a/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml index 655b9528e..096cbe2e9 100644 --- a/rules/linux/other/lnx_security_tools_disabling_syslog.yml +++ b/rules/linux/other/lnx_security_tools_disabling_syslog.yml @@ -13,7 +13,6 @@ references: tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 # an old one logsource: product: linux service: syslog diff --git a/rules/linux/process_creation/lnx_security_tools_disabling.yml b/rules/linux/process_creation/lnx_security_tools_disabling.yml index 56bc28af5..0455235a2 100644 --- a/rules/linux/process_creation/lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/lnx_security_tools_disabling.yml @@ -10,7 +10,6 @@ references: tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 # an old one logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/lnx_webshell_detection.yml b/rules/linux/process_creation/lnx_webshell_detection.yml index dcef68df3..89ed46e9a 100644 --- a/rules/linux/process_creation/lnx_webshell_detection.yml +++ b/rules/linux/process_creation/lnx_webshell_detection.yml @@ -8,7 +8,6 @@ date: 2021/10/15 author: Florian Roth tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 logsource: product: linux diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 2c261f2d9..2b1d1ff0d 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1146 # an old one - attack.t1070.003 diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index d7735944d..a3c03bf52 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -29,9 +29,6 @@ tags: - attack.discovery - attack.credential_access - attack.collection - - attack.t1087 # an old one - attack.t1087.001 - - attack.t1003 # an old one - - attack.t1081 # an old one - attack.t1552.001 - attack.t1005 diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index b3dfc8fc4..35510c62e 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -27,7 +27,5 @@ level: high tags: - attack.credential_access - attack.defense_evasion - - attack.t1130 # an old one - attack.t1553.004 - - attack.t1145 # an old one - attack.t1552.004 diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 510ec7346..d90b34743 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index fc0c76fa9..bdedcfc76 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -24,5 +24,4 @@ tags: - attack.impact - attack.t1495 - attack.t1529 - - attack.t1492 # an old one - attack.t1565.001 diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index 9849c2364..4e35a0dd1 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -23,9 +23,6 @@ level: medium tags: - attack.defense_evasion - attack.impact - - attack.t1107 # an old one - attack.t1070.004 - - attack.t1488 # an old one - attack.t1561.001 - - attack.t1487 # an old one - attack.t1561.002 diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index 27c70acec..bf429a053 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -22,5 +22,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1139 # an old one - attack.t1552.003 diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index 0a57541c9..4d579b008 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -21,6 +21,5 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 - attack.t1098 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index e1b6d7684..dffc9bced 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -30,7 +30,5 @@ tags: - attack.impact - attack.t1490 - attack.t1505 - - attack.t1493 # an old one - attack.t1565.002 - - attack.t1168 # an old one - attack.t1053 diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index a80bbfb5b..138a0f3d4 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -30,5 +30,4 @@ tags: - attack.exfiltration - attack.t1074 - attack.t1105 - - attack.t1002 # an old one - attack.t1560.001 diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 497ab0b5f..4d0edd9e0 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -19,8 +19,6 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 diff --git a/rules/network/net_firewall_high_dns_bytes_out.yml b/rules/network/net_firewall_high_dns_bytes_out.yml index afe5e839e..1b5e3bf9f 100644 --- a/rules/network/net_firewall_high_dns_bytes_out.yml +++ b/rules/network/net_firewall_high_dns_bytes_out.yml @@ -7,7 +7,6 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 logsource: category: firewall diff --git a/rules/network/net_firewall_high_dns_requests_rate.yml b/rules/network/net_firewall_high_dns_requests_rate.yml index 843c080a7..b57f3feca 100644 --- a/rules/network/net_firewall_high_dns_requests_rate.yml +++ b/rules/network/net_firewall_high_dns_requests_rate.yml @@ -7,10 +7,8 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: category: firewall diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml index 193bfcdff..86cd973f6 100644 --- a/rules/network/net_high_dns_bytes_out.yml +++ b/rules/network/net_high_dns_bytes_out.yml @@ -7,7 +7,6 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 logsource: category: dns diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml index da8727716..20dd6a519 100644 --- a/rules/network/net_high_dns_requests_rate.yml +++ b/rules/network/net_high_dns_requests_rate.yml @@ -7,10 +7,8 @@ date: 2019/10/24 modified: 2021/09/21 tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: category: dns diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml index e8166edca..a5e92db2e 100644 --- a/rules/network/net_high_null_records_requests_rate.yml +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -17,8 +17,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml index fac27dab9..95c2ea626 100644 --- a/rules/network/net_high_txt_records_requests_rate.yml +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -17,8 +17,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index d07c4f8ab..a7c46dd46 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index c235127de..76cbf9663 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -18,8 +18,6 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048 # an old one - attack.t1048.003 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 9ea3d56d2..91533cedc 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/network/net_susp_telegram_api.yml b/rules/network/net_susp_telegram_api.yml index 4e813ed87..b37de31a3 100644 --- a/rules/network/net_susp_telegram_api.yml +++ b/rules/network/net_susp_telegram_api.yml @@ -21,5 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1102 # an old one - attack.t1102.002 \ No newline at end of file diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index 316835f92..efe93efe0 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -9,7 +9,6 @@ date: 2020/05/03 modified: 2021/11/14 tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 - attack.t1082 logsource: diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index b586d3831..568d8a0f6 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -48,8 +48,6 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1035 # an old one - attack.t1047 - - attack.t1053 # an old one - attack.t1053.002 - attack.t1569.002 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 4621e4f36..d9dfdcfbc 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -36,5 +36,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1004 # an old one - attack.t1547.004 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 4b80f9055..87868b483 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -12,7 +12,6 @@ logsource: service: dns product: zeek tags: - - attack.t1035 # an old one - attack.t1569.002 - attack.t1496 detection: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 06b8a5801..0e6a8c2e1 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -11,9 +11,8 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' tags: - - attack.t1094 # an old one - attack.t1095 - - attack.t1043 + - attack.t1571 - attack.command_and_control logsource: product: zeek diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 8b2f1a02f..1f41a07f9 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -5,7 +5,6 @@ description: Detects connections from routable IPs to an RDP listener - which is references: - https://attack.mitre.org/techniques/T1021/001/ tags: - - attack.t1021 # an old one - attack.t1021.001 author: 'Josh Brower @DefensiveDepth' date: 2020/08/22 diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 7451b3b31..952010ffb 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -22,7 +22,6 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1053 # an old one - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 98ad4d204..f0b7975ae 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -23,7 +23,6 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 74f765b4a..e9b886aa5 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -39,5 +39,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 13162d6a0..2093f2dfd 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -30,5 +30,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 848b04118..ed9fc8db2 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -27,7 +27,6 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 5b2517060..173944db0 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -22,5 +22,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1208 # an old one - attack.t1558.003 diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index 56869f0ef..ad78cd5f8 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -23,7 +23,5 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.exfiltration - attack.t1567.002 - - attack.t1048 # an old one diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 65b74bef3..eea3ebbfc 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -23,4 +23,3 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 46d5fcc7f..7301303a0 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -30,4 +30,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one + \ No newline at end of file diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index a3b19690c..43553af44 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -25,4 +25,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index 4c45e33c7..01d606b57 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 6ceee22b7..e3e605417 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -25,4 +25,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 739a09478..f5374e960 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -113,4 +113,3 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index d30f7d32b..268fd3abb 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -62,4 +62,3 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index d797c734d..a619b015a 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -27,4 +27,3 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml index a36a0909f..7f027bfb2 100644 --- a/rules/proxy/proxy_empire_ua_uri_combos.yml +++ b/rules/proxy/proxy_empire_ua_uri_combos.yml @@ -28,4 +28,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index ab89ee9ef..a86801b78 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -30,4 +30,3 @@ tags: - attack.credential_access - attack.t1528 - attack.t1552.001 - - attack.t1081 # an old one diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml index 42813f313..d9b6569a2 100644 --- a/rules/proxy/proxy_pwndrop.yml +++ b/rules/proxy/proxy_pwndrop.yml @@ -23,7 +23,5 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.001 - attack.t1102.003 - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index b731474b6..9135f5e4c 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -27,8 +27,6 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.001 - attack.t1102.003 - attack.defense_evasion - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index a12c9e45d..3277e1224 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -24,7 +24,5 @@ tags: - attack.t1189 - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index c961ec2c9..c8803a0a1 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -32,6 +32,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.t1102.002 - - attack.t1102 # an old one diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index 2f97ae7da..41b3aa242 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -20,5 +20,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one - attack.g0010 diff --git a/rules/proxy/proxy_ursnif_malware_c2_url.yml b/rules/proxy/proxy_ursnif_malware_c2_url.yml index d9f0aa5df..c0068e710 100644 --- a/rules/proxy/proxy_ursnif_malware_c2_url.yml +++ b/rules/proxy/proxy_ursnif_malware_c2_url.yml @@ -30,9 +30,7 @@ level: critical tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.command_and_control - attack.t1071.001 diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index e2fe9853d..a7c208d46 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -18,5 +18,4 @@ falsepositives: level: high tags: - attack.impact - - attack.t1499 # an old one - attack.t1499.004 diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index 0ca683c20..40b443f54 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -21,7 +21,6 @@ falsepositives: - Unknown level: critical tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - attack.persistence diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index e2715da28..ad25c59e9 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -24,7 +24,6 @@ falsepositives: - Unknown level: high tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - cve.2020.14882 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index 5663b39d8..98eb7aa2e 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -30,7 +30,6 @@ falsepositives: - Unknown level: high tags: - - attack.t1100 # an old one - attack.t1190 - attack.initial_access - cve.2020.3452 \ No newline at end of file diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index 34e6786a6..7a66f2a83 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -24,5 +24,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml index b51f2b830..b96d0af9f 100644 --- a/rules/web/win_powershell_snapins_hafnium.yml +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -10,7 +10,6 @@ date: 2021/03/03 modified: 2021/08/09 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - attack.collection - attack.t1114 diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index 7dc07c128..7e38813c7 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -33,5 +33,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/builtin/application/win_susp_backup_delete.yml b/rules/windows/builtin/application/win_susp_backup_delete.yml index b7b91a54c..48063418f 100644 --- a/rules/windows/builtin/application/win_susp_backup_delete.yml +++ b/rules/windows/builtin/application/win_susp_backup_delete.yml @@ -10,7 +10,6 @@ date: 2017/05/12 modified: 2021/10/13 tags: - attack.defense_evasion - - attack.t1107 # an old one - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml index a128d21dc..e5e4e8d67 100644 --- a/rules/windows/builtin/application/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml @@ -3,7 +3,6 @@ id: 6c82cf5c-090d-4d57-9188-533577631108 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1211 - attack.t1562.001 status: experimental diff --git a/rules/windows/builtin/security/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml index 017048ad8..c5798b2c3 100644 --- a/rules/windows/builtin/security/win_account_discovery.yml +++ b/rules/windows/builtin/security/win_account_discovery.yml @@ -5,7 +5,6 @@ references: - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 status: experimental author: Samir Bousseaden diff --git a/rules/windows/builtin/security/win_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_ad_object_writedac_access.yml index 779fe0302..2f3e22891 100644 --- a/rules/windows/builtin/security/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/security/win_ad_object_writedac_access.yml @@ -24,5 +24,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1222 # an old one - attack.t1222.001 diff --git a/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml index f87dba3b8..c67999e5b 100644 --- a/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml @@ -31,5 +31,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.006 diff --git a/rules/windows/builtin/security/win_ad_user_enumeration.yml b/rules/windows/builtin/security/win_ad_user_enumeration.yml index 85a1ac967..37a865e95 100644 --- a/rules/windows/builtin/security/win_ad_user_enumeration.yml +++ b/rules/windows/builtin/security/win_ad_user_enumeration.yml @@ -11,7 +11,6 @@ references: - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_admin_rdp_login.yml b/rules/windows/builtin/security/win_admin_rdp_login.yml index 1ff0216df..a2186be2b 100644 --- a/rules/windows/builtin/security/win_admin_rdp_login.yml +++ b/rules/windows/builtin/security/win_admin_rdp_login.yml @@ -5,7 +5,6 @@ references: - https://car.mitre.org/wiki/CAR-2016-04-005 tags: - attack.lateral_movement - - attack.t1078 # an old one - attack.t1078.001 - attack.t1078.002 - attack.t1078.003 diff --git a/rules/windows/builtin/security/win_admin_share_access.yml b/rules/windows/builtin/security/win_admin_share_access.yml index fd78ca8a7..3d8dc32ec 100644 --- a/rules/windows/builtin/security/win_admin_share_access.yml +++ b/rules/windows/builtin/security/win_admin_share_access.yml @@ -21,5 +21,4 @@ falsepositives: level: low tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml index ab46a0015..5667e9467 100644 --- a/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml @@ -86,5 +86,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/builtin/security/win_alert_ruler.yml b/rules/windows/builtin/security/win_alert_ruler.yml index 071c57705..94c382c2f 100644 --- a/rules/windows/builtin/security/win_alert_ruler.yml +++ b/rules/windows/builtin/security/win_alert_ruler.yml @@ -15,7 +15,6 @@ tags: - attack.discovery - attack.execution - attack.t1087 - - attack.t1075 # an old one - attack.t1114 - attack.t1059 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml index b1b621bcf..5843d6bf9 100644 --- a/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml +++ b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml @@ -10,15 +10,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 diff --git a/rules/windows/builtin/security/win_apt_wocao.yml b/rules/windows/builtin/security/win_apt_wocao.yml index fc8011516..8dcb9b26c 100644 --- a/rules/windows/builtin/security/win_apt_wocao.yml +++ b/rules/windows/builtin/security/win_apt_wocao.yml @@ -11,13 +11,10 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1036.004 - - attack.t1036 # an old one - attack.t1027 - attack.execution - attack.t1053.005 - - attack.t1053 # an old one - attack.t1059.001 - - attack.t1086 # an old one date: 2019/12/20 modified: 2021/09/19 logsource: diff --git a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml index 086feb2b2..252c8334c 100644 --- a/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml @@ -9,7 +9,6 @@ references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 tags: - attack.t1204 - - attack.t1193 # an old one - attack.t1566.001 - attack.execution - attack.initial_access diff --git a/rules/windows/builtin/security/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml index e0caff9b4..f45c6c860 100644 --- a/rules/windows/builtin/security/win_atsvc_task.yml +++ b/rules/windows/builtin/security/win_atsvc_task.yml @@ -24,7 +24,6 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1053 # an old one - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 diff --git a/rules/windows/builtin/security/win_dcsync.yml b/rules/windows/builtin/security/win_dcsync.yml index 70ec081b7..1c4d3086e 100644 --- a/rules/windows/builtin/security/win_dcsync.yml +++ b/rules/windows/builtin/security/win_dcsync.yml @@ -11,7 +11,6 @@ references: tags: - attack.credential_access - attack.s0002 - - attack.t1003 # an old one - attack.t1003.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_defender_bypass.yml b/rules/windows/builtin/security/win_defender_bypass.yml index 46345954a..a0196d1db 100644 --- a/rules/windows/builtin/security/win_defender_bypass.yml +++ b/rules/windows/builtin/security/win_defender_bypass.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/builtin/security/win_disable_event_logging.yml b/rules/windows/builtin/security/win_disable_event_logging.yml index 9f3b32e5c..1975bc806 100644 --- a/rules/windows/builtin/security/win_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_disable_event_logging.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1054 # an old one - attack.t1562.002 diff --git a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml index bf6c020e3..57ecd7d68 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml @@ -22,5 +22,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml index 07159fd3f..919d985b3 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_event_log_cleared.yml b/rules/windows/builtin/security/win_event_log_cleared.yml index 26deafd02..3bb242439 100644 --- a/rules/windows/builtin/security/win_event_log_cleared.yml +++ b/rules/windows/builtin/security/win_event_log_cleared.yml @@ -12,7 +12,6 @@ logsource: service: security product: windows tags: - - attack.t1107 # an old one - attack.t1070.001 detection: selection: diff --git a/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml index 5bd709c7d..6659a8c0c 100644 --- a/rules/windows/builtin/security/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/security/win_global_catalog_enumeration.yml @@ -9,7 +9,6 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml index ab7dfd2d3..031277636 100644 --- a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml @@ -27,5 +27,4 @@ level: high tags: - attack.persistence - attack.lateral_movement - - attack.t1053 # an old one - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml index 798069d92..312355ab0 100644 --- a/rules/windows/builtin/security/win_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_impacket_secretdump.yml @@ -9,7 +9,6 @@ references: - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml index acf2eb16b..a5a4abc1d 100644 --- a/rules/windows/builtin/security/win_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_lm_namedpipe.yml @@ -42,5 +42,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml index d1157daf3..0fd9ca77a 100644 --- a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_metasploit_authentication.yml b/rules/windows/builtin/security/win_metasploit_authentication.yml index a74b3aa9d..2addf4d35 100644 --- a/rules/windows/builtin/security/win_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_metasploit_authentication.yml @@ -9,7 +9,6 @@ references: - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml index 5fc1af96f..731069c17 100644 --- a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml @@ -12,7 +12,6 @@ date: 2018/03/20 modified: 2021/06/27 tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 # Windows Security Eventlog: Process Creation with Full Command Line diff --git a/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml index 021f753ba..989b884e6 100755 --- a/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml @@ -27,5 +27,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1023 # an old one - attack.t1547.009 diff --git a/rules/windows/builtin/security/win_not_allowed_rdp_access.yml b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml index 7b48f7705..8f200780d 100644 --- a/rules/windows/builtin/security/win_not_allowed_rdp_access.yml +++ b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml @@ -23,5 +23,4 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1076 # an old one - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_overpass_the_hash.yml b/rules/windows/builtin/security/win_overpass_the_hash.yml index a123ed2be..60edc2213 100644 --- a/rules/windows/builtin/security/win_overpass_the_hash.yml +++ b/rules/windows/builtin/security/win_overpass_the_hash.yml @@ -22,6 +22,5 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.s0002 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_pass_the_hash.yml b/rules/windows/builtin/security/win_pass_the_hash.yml index ca9d3f39c..ca13aa9cf 100644 --- a/rules/windows/builtin/security/win_pass_the_hash.yml +++ b/rules/windows/builtin/security/win_pass_the_hash.yml @@ -29,6 +29,5 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1075 # an old one - car.2016-04-004 - attack.t1550.002 diff --git a/rules/windows/builtin/security/win_pass_the_hash_2.yml b/rules/windows/builtin/security/win_pass_the_hash_2.yml index f70a26051..0fdadb4a1 100644 --- a/rules/windows/builtin/security/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/win_pass_the_hash_2.yml @@ -10,7 +10,6 @@ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) date: 2019/06/14 tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_protected_storage_service_access.yml b/rules/windows/builtin/security/win_protected_storage_service_access.yml index 29cea968c..006a8a330 100644 --- a/rules/windows/builtin/security/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/security/win_protected_storage_service_access.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.lateral_movement - - attack.t1021 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_rare_schtasks_creations.yml b/rules/windows/builtin/security/win_rare_schtasks_creations.yml index 4e25bed94..25a7a93ae 100644 --- a/rules/windows/builtin/security/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/security/win_rare_schtasks_creations.yml @@ -22,6 +22,5 @@ tags: - attack.execution - attack.privilege_escalation - attack.persistence - - attack.t1053 # an old one - car.2013-08-001 - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml index f6ddb6e44..26c9954fd 100644 --- a/rules/windows/builtin/security/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml @@ -7,7 +7,6 @@ date: 2019/01/28 modified: 2021/07/07 tags: - attack.lateral_movement - - attack.t1076 # an old one - car.2013-07-002 - attack.t1021.001 status: experimental diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index c56e62128..5f127ce93 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -12,8 +12,6 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.lateral_movement - - attack.t1076 # an old one - - attack.t1090 # an old one - attack.t1090.001 - attack.t1090.002 - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml index 9f5b22151..05f1fe83e 100644 --- a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml @@ -7,7 +7,6 @@ references: tags: - attack.lateral_movement - attack.privilege_escalation - - attack.t1208 # an old one - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 diff --git a/rules/windows/builtin/security/win_remote_powershell_session.yml b/rules/windows/builtin/security/win_remote_powershell_session.yml index 3de3b459a..0fd7f3726 100644 --- a/rules/windows/builtin/security/win_remote_powershell_session.yml +++ b/rules/windows/builtin/security/win_remote_powershell_session.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_scheduled_task_deletion.yml index 9150ab1a9..865a9c845 100644 --- a/rules/windows/builtin/security/win_scheduled_task_deletion.yml +++ b/rules/windows/builtin/security/win_scheduled_task_deletion.yml @@ -7,7 +7,6 @@ date: 2021/01/22 tags: - attack.execution - attack.privilege_escalation - - attack.t1053 # an old one - car.2013-08-001 - attack.t1053.005 references: diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index d311d40f9..ca29a8a52 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -13,13 +13,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml index 3f798a692..b3b0a67c2 100644 --- a/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -16,8 +16,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1003 - - attack.t1035 # an old one - - attack.t1050 # an old one - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 17df9ffed..aa946c489 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -13,7 +13,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 514a0ca97..900c55750 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -14,7 +14,6 @@ references: tags: - attack.persistence - attack.privilege_escalation - - attack.t1084 # an old one - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_add_sid_history.yml b/rules/windows/builtin/security/win_susp_add_sid_history.yml index 9f0b7fae5..60d809e44 100644 --- a/rules/windows/builtin/security/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_susp_add_sid_history.yml @@ -9,7 +9,6 @@ date: 2017/02/19 tags: - attack.persistence - attack.privilege_escalation - - attack.t1178 # an old one - attack.t1134.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml index d2f352e6a..78d011da9 100644 --- a/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml @@ -7,7 +7,6 @@ date: 2019/12/03 modified: 2020/08/23 tags: - attack.defense_evasion - - attack.t1009 # an old one - attack.t1027.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_eventlog_cleared.yml b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml index 47b1592f9..40a1bd711 100644 --- a/rules/windows/builtin/security/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml @@ -13,7 +13,6 @@ date: 2017/01/10 modified: 2022/01/07 tags: - attack.defense_evasion - - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml index 3084f30bb..c38a5a2f0 100644 --- a/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml +++ b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml @@ -25,6 +25,5 @@ falsepositives: - Companies, who may use these default LDAP-Attributes for personal information level: high tags: - - attack.t1071 # an old one - attack.t1001.003 - attack.command_and_control diff --git a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml index ec3eaac7c..d44cab80b 100644 --- a/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml @@ -9,7 +9,6 @@ date: 2019/10/31 modified: 2021/07/06 tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 - attack.t1136.002 logsource: diff --git a/rules/windows/builtin/security/win_susp_lsass_dump.yml b/rules/windows/builtin/security/win_susp_lsass_dump.yml index 8da6d3706..9046f32d1 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump.yml @@ -9,7 +9,6 @@ references: - https://twitter.com/jackcr/status/807385668833968128 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 6e367a645..af746fc30 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -10,7 +10,6 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - - attack.t1003 # an old one - car.2019-04-004 - attack.t1003.001 logsource: diff --git a/rules/windows/builtin/security/win_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_susp_net_recon_activity.yml index 380774c5e..d4fd16e68 100644 --- a/rules/windows/builtin/security/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/security/win_susp_net_recon_activity.yml @@ -30,8 +30,6 @@ falsepositives: level: high tags: - attack.discovery - - attack.t1087 # an old one - attack.t1087.002 - - attack.t1069 # an old one - attack.t1069.002 - attack.s0039 diff --git a/rules/windows/builtin/security/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml index 5377a73ab..2934d2fcf 100644 --- a/rules/windows/builtin/security/win_susp_psexec.yml +++ b/rules/windows/builtin/security/win_susp_psexec.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml index 91d3b5b1e..3f7576a13 100644 --- a/rules/windows/builtin/security/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml @@ -6,7 +6,6 @@ references: - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity tags: - attack.credential_access - - attack.t1208 # an old one - attack.t1558.003 description: Detects service ticket requests using RC4 encryption type author: Florian Roth diff --git a/rules/windows/builtin/security/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml index 1fd50a283..b685533d3 100644 --- a/rules/windows/builtin/security/win_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/win_susp_rottenpotato.yml @@ -10,7 +10,6 @@ modified: 2021/07/07 tags: - attack.privilege_escalation - attack.credential_access - - attack.t1171 # an old one - attack.t1557.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_susp_sdelete.yml b/rules/windows/builtin/security/win_susp_sdelete.yml index a01737771..d53bd9789 100644 --- a/rules/windows/builtin/security/win_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_susp_sdelete.yml @@ -28,9 +28,7 @@ level: medium tags: - attack.impact - attack.defense_evasion - - attack.t1107 # an old one - attack.t1070.004 - - attack.t1066 # an old one - attack.t1027.005 - attack.t1485 - attack.t1553.002 diff --git a/rules/windows/builtin/security/win_susp_time_modification.yml b/rules/windows/builtin/security/win_susp_time_modification.yml index d518bd8a7..73052f65d 100644 --- a/rules/windows/builtin/security/win_susp_time_modification.yml +++ b/rules/windows/builtin/security/win_susp_time_modification.yml @@ -29,5 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1099 # an old one - attack.t1070.006 diff --git a/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml index a7df9e611..8f331063c 100644 --- a/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml @@ -26,5 +26,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1208 # an old one - attack.t1558.003 diff --git a/rules/windows/builtin/security/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml index af7b98f47..433ea4c5b 100644 --- a/rules/windows/builtin/security/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_svcctl_remote_service.yml @@ -24,5 +24,4 @@ level: medium tags: - attack.lateral_movement - attack.persistence - - attack.t1077 # an old one - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml index f8b084ce8..75bd3074c 100644 --- a/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index f243911f0..45242a31d 100644 --- a/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -7,7 +7,6 @@ references: tags: - attack.lateral_movement - attack.privilege_escalation - - attack.t1208 # an old one - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 diff --git a/rules/windows/builtin/security/win_user_creation.yml b/rules/windows/builtin/security/win_user_creation.yml index 69521c42f..a16ebf7a9 100644 --- a/rules/windows/builtin/security/win_user_creation.yml +++ b/rules/windows/builtin/security/win_user_creation.yml @@ -25,5 +25,4 @@ falsepositives: level: low tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_user_driver_loaded.yml b/rules/windows/builtin/security/win_user_driver_loaded.yml index 98e247108..45b5f6218 100644 --- a/rules/windows/builtin/security/win_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_user_driver_loaded.yml @@ -36,6 +36,5 @@ falsepositives: - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' level: medium tags: - - attack.t1089 # an old one - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml index 189973a8a..1cb7b91a1 100755 --- a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml @@ -25,5 +25,4 @@ level: high tags: - attack.persistence - attack.g0010 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml index 47cf659f1..d196830fe 100644 --- a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml +++ b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml @@ -7,15 +7,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/11/30 diff --git a/rules/windows/builtin/system/win_apt_stonedrill.yml b/rules/windows/builtin/system/win_apt_stonedrill.yml index d85d40dc3..3d5ba49bf 100755 --- a/rules/windows/builtin/system/win_apt_stonedrill.yml +++ b/rules/windows/builtin/system/win_apt_stonedrill.yml @@ -23,5 +23,4 @@ level: high tags: - attack.persistence - attack.g0064 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_apt_turla_service_png.yml index 9c9a8a47c..1552f94a4 100644 --- a/rules/windows/builtin/system/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/system/win_apt_turla_service_png.yml @@ -22,5 +22,4 @@ level: critical tags: - attack.persistence - attack.g0010 - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_hack_smbexec.yml b/rules/windows/builtin/system/win_hack_smbexec.yml index c733d9db6..cf1168712 100644 --- a/rules/windows/builtin/system/win_hack_smbexec.yml +++ b/rules/windows/builtin/system/win_hack_smbexec.yml @@ -27,7 +27,5 @@ level: critical tags: - attack.lateral_movement - attack.execution - - attack.t1077 # an old one - attack.t1021.002 - - attack.t1035 # an old one - attack.t1569.002 diff --git a/rules/windows/builtin/system/win_mal_creddumper.yml b/rules/windows/builtin/system/win_mal_creddumper.yml index 93f1da11a..fcd6b5124 100644 --- a/rules/windows/builtin/system/win_mal_creddumper.yml +++ b/rules/windows/builtin/system/win_mal_creddumper.yml @@ -10,13 +10,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 911ecf135..9a66aa229 100644 --- a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -10,7 +10,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml index b4604cec8..7e4c1b7cc 100644 --- a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml @@ -19,5 +19,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/builtin/system/win_rare_service_installs.yml b/rules/windows/builtin/system/win_rare_service_installs.yml index 5d8565399..045d35b73 100644 --- a/rules/windows/builtin/system/win_rare_service_installs.yml +++ b/rules/windows/builtin/system/win_rare_service_installs.yml @@ -21,6 +21,5 @@ level: low tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - car.2013-09-005 - attack.t1543.003 diff --git a/rules/windows/builtin/system/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_susp_dhcp_config.yml index 8b5b0feb5..43daa66bb 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config.yml @@ -11,7 +11,6 @@ modified: 2021/10/13 author: Dimitrios Slamaris tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml index b6235d1e0..1a1d87fbd 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml @@ -10,7 +10,6 @@ date: 2017/05/15 modified: 2021/10/13 tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 author: 'Dimitrios Slamaris, @atc_project (fix)' logsource: diff --git a/rules/windows/builtin/system/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_susp_sam_dump.yml index ad4617a57..15cb35d23 100644 --- a/rules/windows/builtin/system/win_susp_sam_dump.yml +++ b/rules/windows/builtin/system/win_susp_sam_dump.yml @@ -21,5 +21,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml index 6ce32b306..114e701d5 100644 --- a/rules/windows/builtin/system/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/win_system_defender_disabled.yml @@ -13,7 +13,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml index 84e9d3330..bac81ee27 100644 --- a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml @@ -15,7 +15,6 @@ date: 2017/01/10 modified: 2022/01/07 tags: - attack.defense_evasion - - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/system/win_tool_psexec.yml b/rules/windows/builtin/system/win_tool_psexec.yml index 3528eaae2..d54e00e74 100644 --- a/rules/windows/builtin/system/win_tool_psexec.yml +++ b/rules/windows/builtin/system/win_tool_psexec.yml @@ -10,7 +10,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 2de4b87d0..a4d6f2a09 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -9,7 +9,6 @@ references: - https://tools.thehacker.recipes/mimikatz/modules tags: - attack.s0002 - - attack.t1003 # an old one - attack.lateral_movement - attack.credential_access - car.2013-07-001 diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 8b6e3dee2..1bc41f106 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -24,10 +24,8 @@ detection: condition: selection tags: - attack.defense_evasion - - attack.t1093 # an old one - attack.t1055.012 - attack.execution - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.007 - attack.t1218.005 diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index 94a3f1c7e..02934f765 100644 --- a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -6,7 +6,6 @@ references: - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - attack.defense_evasion - - attack.t1055 # an old one - attack.t1055.001 status: experimental author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 04829d335..041904e8b 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -20,5 +20,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1055 # an old one - attack.t1055.001 diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml index fbdb2e081..958d88cea 100644 --- a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -17,7 +17,6 @@ detection: condition: selection tags: - attack.credential_access - - attack.t1003 # an old one - attack.s0005 - attack.t1003.001 falsepositives: diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index 081bd0b01..b9e029f91 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -18,9 +18,7 @@ detection: tags: - attack.defense_evasion - attack.execution - - attack.t1085 # an old one - attack.t1218.011 - - attack.t1086 # an old one - attack.t1059.001 falsepositives: - Unknown diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index e8b7a5b87..dffb1092d 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -25,6 +25,5 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1027 # an old one - attack.s0139 - attack.t1564.004 diff --git a/rules/windows/deprecated/powershell_suspicious_download.yml b/rules/windows/deprecated/powershell_suspicious_download.yml index 72d831a05..dd2cc5a96 100644 --- a/rules/windows/deprecated/powershell_suspicious_download.yml +++ b/rules/windows/deprecated/powershell_suspicious_download.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/09/21 diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml index 90cf7c75d..f0f7d851c 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml index 080a241c5..bf4fd5226 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml @@ -5,7 +5,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 logsource: diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml index 7f3e6b0a4..7c80fd93b 100644 --- a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -9,7 +9,6 @@ references: - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml index a0299149f..6b396ffe6 100644 --- a/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml @@ -11,10 +11,8 @@ references: tags: - attack.execution - attack.t1559.001 - - attack.t1175 # an old one - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 2817cc600..b9be2da02 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -13,13 +13,11 @@ references: tags: - attack.credential_access - attack.execution - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 - - attack.t1035 # an old one - attack.t1569.002 - attack.s0005 logsource: diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 9593302ff..172b3e23f 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -13,7 +13,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index 1db8cc4d0..fbaec49c6 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -18,5 +18,4 @@ level: high tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml index cf9ea41cb..687865be6 100644 --- a/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml +++ b/rules/windows/file_event/file_event_apt_unidentified_nov_18.yml @@ -14,7 +14,6 @@ modified: 2021/09/19 tags: - attack.execution - attack.t1218.011 - - attack.t1085 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_hack_dumpert.yml b/rules/windows/file_event/file_event_hack_dumpert.yml index ed3625dbb..74a805179 100755 --- a/rules/windows/file_event/file_event_hack_dumpert.yml +++ b/rules/windows/file_event/file_event_hack_dumpert.yml @@ -13,7 +13,6 @@ date: 2020/02/04 modified: 2021/09/21 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file_event/file_event_hktl_createminidump.yml b/rules/windows/file_event/file_event_hktl_createminidump.yml index 1aae4f62e..a0bacd772 100644 --- a/rules/windows/file_event/file_event_hktl_createminidump.yml +++ b/rules/windows/file_event/file_event_hktl_createminidump.yml @@ -13,7 +13,6 @@ modified: 2021/09/19 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml index 8c401e191..f8e747bbe 100644 --- a/rules/windows/file_event/file_event_lsass_dump.yml +++ b/rules/windows/file_event/file_event_lsass_dump.yml @@ -13,7 +13,6 @@ date: 2021/11/15 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: product: windows category: file_event diff --git a/rules/windows/file_event/file_event_mal_adwind.yml b/rules/windows/file_event/file_event_mal_adwind.yml index bab320074..1e79f6b12 100644 --- a/rules/windows/file_event/file_event_mal_adwind.yml +++ b/rules/windows/file_event/file_event_mal_adwind.yml @@ -15,7 +15,6 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one logsource: category: file_event product: windows diff --git a/rules/windows/file_event/file_event_tool_psexec.yml b/rules/windows/file_event/file_event_tool_psexec.yml index 91a51e0af..d4e3d237b 100644 --- a/rules/windows/file_event/file_event_tool_psexec.yml +++ b/rules/windows/file_event/file_event_tool_psexec.yml @@ -13,7 +13,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index bc5be1459..49c10bff4 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -7,7 +7,6 @@ date: 2020/05/26 modified: 2021/10/28 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml index bd7f61751..4c07b444c 100755 --- a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml @@ -44,7 +44,6 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml index 72e876b02..330c16858 100755 --- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml @@ -19,5 +19,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml index c3bf8ebe7..3648d592e 100755 --- a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -8,7 +8,6 @@ date: 2019/10/22 modified: 2021/08/16 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file_event/sysmon_office_persistence.yml b/rules/windows/file_event/sysmon_office_persistence.yml index 2f67a1a0c..658789a7a 100644 --- a/rules/windows/file_event/sysmon_office_persistence.yml +++ b/rules/windows/file_event/sysmon_office_persistence.yml @@ -28,5 +28,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1137 # an old one - attack.t1137.006 diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml index ebda72aba..4f21221df 100755 --- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml @@ -114,5 +114,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml index 431d86d6a..3e8ca7f58 100755 --- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml @@ -22,5 +22,4 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index 3484536d1..584b374df 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -29,6 +29,5 @@ falsepositives: - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: high tags: - - attack.t1071 # an old one - attack.t1001.003 - attack.command_and_control diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index 7c44eaa61..119379751 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -25,5 +25,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1023 # an old one - attack.t1547.009 diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index ba0a1127c..d32dd30da 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -25,6 +25,5 @@ falsepositives: - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. level: medium tags: - - attack.t1089 # an old one - attack.t1562.001 - attack.defense_evasion diff --git a/rules/windows/file_event/sysmon_webshell_creation_detect.yml b/rules/windows/file_event/sysmon_webshell_creation_detect.yml index 655ddfe50..59a98326c 100755 --- a/rules/windows/file_event/sysmon_webshell_creation_detect.yml +++ b/rules/windows/file_event/sysmon_webshell_creation_detect.yml @@ -42,5 +42,4 @@ falsepositives: level: critical tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 diff --git a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml index 5d736bc2e..4265bccba 100755 --- a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -18,6 +18,5 @@ falsepositives: - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) level: high tags: - - attack.t1084 # an old one - attack.t1546.003 - attack.persistence diff --git a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml index ddb733aac..c7586f7d6 100644 --- a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml @@ -13,7 +13,6 @@ status: test tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1073 # an old one - attack.t1574.002 detection: selection_dll: diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index edd59fc66..cdf9ee7d1 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -12,7 +12,6 @@ references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll tags: - - attack.t1086 # an old one - attack.t1059.001 - attack.execution logsource: diff --git a/rules/windows/image_load/sysmon_susp_fax_dll.yml b/rules/windows/image_load/sysmon_susp_fax_dll.yml index 39d0d7621..b49be7ca9 100644 --- a/rules/windows/image_load/sysmon_susp_fax_dll.yml +++ b/rules/windows/image_load/sysmon_susp_fax_dll.yml @@ -26,7 +26,5 @@ level: high tags: - attack.persistence - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1038 # an old one - attack.t1574.001 - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 726a87dd1..ff5ca7bfe 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index f8d5be4aa..6feea67a4 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index 36b37ccb3..2cb835dfa 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index c30288f94..fc8c755b5 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index 47a3b0424..649f5d309 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml index 54bf26095..f72268538 100755 --- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml index 802b5df9d..5b31fa62a 100755 --- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 90bfdd134..03fb50e95 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -65,5 +65,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 393876e94..0be23656b 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -28,7 +28,5 @@ level: high tags: - attack.persistence - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - - attack.t1038 # an old one - attack.t1574.001 diff --git a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml index d167e1004..831d31022 100755 --- a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml @@ -20,5 +20,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index 2b7a1420d..f0a9711a8 100755 --- a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -19,6 +19,5 @@ falsepositives: - Unknown (data set is too small; further testing needed) level: high tags: - - attack.t1084 # an old one - attack.t1546.003 - attack.persistence diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 90a124677..826dfffd3 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -17,7 +17,6 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - - attack.t1100 # an old one - attack.t1505.003 logsource: product: antivirus diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml index 177fb35a1..6bb0a471b 100644 --- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml @@ -46,4 +46,3 @@ tags: - attack.t1218 - attack.execution - attack.t1559.001 - - attack.t1175 # an old one diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml index 804ddbebe..90737fa59 100755 --- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml @@ -96,4 +96,3 @@ level: medium tags: - attack.command_and_control - attack.t1571 - - attack.t1043 # an old one diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml index b728c7afb..f0deb73c0 100755 --- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml @@ -11,7 +11,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index b42525448..a75bcb51b 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -12,7 +12,6 @@ tags: - attack.t1572 - attack.lateral_movement - attack.t1021.001 - - attack.t1076 # an old one - car.2013-07-002 logsource: category: network_connection diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index ade7b3075..6aaf10275 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -5,13 +5,6 @@ references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md -tags: - - attack.execution - - attack.t1559.001 - - attack.t1175 # an old one - - attack.defense_evasion - - attack.t1218.010 - - attack.t1117 # an old one author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 @@ -31,4 +24,9 @@ fields: - DestinationPort falsepositives: - unknown -level: high \ No newline at end of file +level: high +tags: + - attack.execution + - attack.t1559.001 + - attack.defense_evasion + - attack.t1218.010 \ No newline at end of file diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml index a3a16207b..e6eb9c587 100755 --- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml @@ -24,7 +24,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml index 2b32f35c2..97a5b9efd 100755 --- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml @@ -47,5 +47,4 @@ level: medium tags: - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one - attack.execution diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index 91da2c975..faf94a368 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -45,5 +45,4 @@ level: high tags: - attack.lateral_movement - attack.t1021.001 - - attack.t1076 # an old one - car.2013-07-002 diff --git a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml index 0566f2b82..fd7cba0ab 100755 --- a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml @@ -28,7 +28,5 @@ level: high tags: - attack.credential_access - attack.t1558 - - attack.t1208 # an old one - attack.lateral_movement - attack.t1550.003 - - attack.t1097 # an old one diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml index 915ef7f25..d275abb15 100755 --- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml @@ -29,4 +29,3 @@ tags: - attack.t1105 - attack.exfiltration - attack.t1567.001 - - attack.t1048 # an old one diff --git a/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml index 1e14e667d..9e28f7ab9 100644 --- a/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -32,10 +32,6 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1086 # an old one - - attack.t1064 # an old one - - attack.t1204 # an old one - - attack.t1035 # an old one - attack.t1204.002 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/other/dns_server/win_susp_dns_config.yml b/rules/windows/other/dns_server/win_susp_dns_config.yml index 6254caca7..9a90fb155 100644 --- a/rules/windows/other/dns_server/win_susp_dns_config.yml +++ b/rules/windows/other/dns_server/win_susp_dns_config.yml @@ -23,5 +23,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/other/ntlm/win_susp_ntlm_auth.yml b/rules/windows/other/ntlm/win_susp_ntlm_auth.yml index 256ba6ea8..f6eb146e2 100644 --- a/rules/windows/other/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/other/ntlm/win_susp_ntlm_auth.yml @@ -10,7 +10,6 @@ date: 2018/06/08 modified: 2021/11/20 tags: - attack.lateral_movement - - attack.t1075 # an old one - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml index dd4e9f6c5..363596a2f 100644 --- a/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml @@ -21,6 +21,5 @@ falsepositives: level: low tags: - attack.persistence - - attack.t1053 # an old one - attack.s0111 - attack.t1053.005 diff --git a/rules/windows/other/windefend/win_alert_lsass_access.yml b/rules/windows/other/windefend/win_alert_lsass_access.yml index 0aef6a5d1..035db4d79 100644 --- a/rules/windows/other/windefend/win_alert_lsass_access.yml +++ b/rules/windows/other/windefend/win_alert_lsass_access.yml @@ -9,7 +9,6 @@ date: 2018/08/26 modified: 2021/11/13 tags: - attack.credential_access - - attack.t1003 # an old one # Defender Attack Surface Reduction - attack.t1003.001 logsource: diff --git a/rules/windows/other/windefend/win_defender_disabled.yml b/rules/windows/other/windefend/win_defender_disabled.yml index 14063f75e..0d6dbae81 100644 --- a/rules/windows/other/windefend/win_defender_disabled.yml +++ b/rules/windows/other/windefend/win_defender_disabled.yml @@ -10,7 +10,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_exclusions.yml b/rules/windows/other/windefend/win_defender_exclusions.yml index 3f31c3b69..b573e8111 100644 --- a/rules/windows/other/windefend/win_defender_exclusions.yml +++ b/rules/windows/other/windefend/win_defender_exclusions.yml @@ -9,7 +9,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml b/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml index 07d2196e8..4dbf4c800 100644 --- a/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml +++ b/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml @@ -12,7 +12,6 @@ tags: - attack.execution - attack.lateral_movement - attack.t1047 - - attack.t1035 # an old one - attack.t1569.002 logsource: product: windows diff --git a/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml index 0eeb90cc1..69ea17366 100644 --- a/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml @@ -8,7 +8,6 @@ references: status: stable tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 falsepositives: - Administrator actions diff --git a/rules/windows/other/wmi/win_wmi_persistence.yml b/rules/windows/other/wmi/win_wmi_persistence.yml index dcb47caef..9aa85c5f2 100644 --- a/rules/windows/other/wmi/win_wmi_persistence.yml +++ b/rules/windows/other/wmi/win_wmi_persistence.yml @@ -11,7 +11,6 @@ references: tags: - attack.persistence - attack.privilege_escalation - - attack.t1084 # an old one - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index 900ec9f5a..421032085 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -13,7 +13,6 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 fields: diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index d36011ef3..31a1d756c 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -32,5 +32,4 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 5fa249bee..ee3fb7c22 100644 --- a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -23,7 +23,6 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 1ba70f716..dd72dd04b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -13,7 +13,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 6ab90c2c2..b7d9d3547 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -8,7 +8,6 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index 4c4ddb2dd..215c3d778 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -8,7 +8,6 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index 8605312d6..88fde7aae 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -13,10 +13,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 95a2be973..bd1a09cbb 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -9,7 +9,6 @@ date: 2020/06/29 modified: 2021/10/16 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml index 551b1b68b..183154501 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index 8996bef6c..f5e493c93 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -8,7 +8,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index cebabac1d..5622ab6cb 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -10,7 +10,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index b7a636ef6..fb48751d4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -15,7 +15,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index a13453f9a..8faa41211 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -13,7 +13,6 @@ references: tags: - attack.defense_evasion - attack.t1070.003 - - attack.t1146 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 27ec125ce..2ffff9458 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -15,7 +15,6 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index ba800a5b4..424bff297 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -10,10 +10,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml index 097708941..598a3549e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml index 3281bd461..1ebead1f9 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml index 1859ba45a..3c9fe2e92 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index a5b0d2a85..ab12a9c07 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -7,10 +7,8 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.persistence - - attack.t1136.001 - - attack.t1136 # an old one + - attack.t1136.001 author: '@ROxPinTeddy' date: 2020/04/11 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml index c556a6603..8c35c9c81 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml @@ -24,4 +24,3 @@ level: low tags: - attack.exfiltration - attack.t1560 - - attack.t1002 # an old one diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml index 411443846..ea3a7d0a7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml @@ -10,7 +10,6 @@ tags: - attack.t1048 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 07fbbbd83..48bb1d48d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -12,7 +12,6 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 55aff9fcd..937652d74 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 modified: 2021/11/29 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index f6e400310..d86e73d9a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 91dda5050..f107fce3f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -9,7 +9,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Alec Costello logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index fa8335566..b6784c866 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -8,10 +8,8 @@ references: tags: - attack.defense_evasion - attack.t1564.004 - - attack.t1096 # an old one - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index a795e8d11..7c532498b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -9,7 +9,6 @@ tags: - attack.credential_access - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index 121446277..edd719577 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -7,7 +7,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index 9cad56ae0..d916707fe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -10,7 +10,6 @@ tags: - attack.t1055 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml index b33c4bea7..b533bf04b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_download.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml index 2c106649e..7ee906b99 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_generic.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml index 929a6581f..287004ebb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml @@ -8,7 +8,6 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2021/10/18 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml index 7d4d83170..655f9c3f9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_keywords.yml @@ -13,7 +13,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml index 2a6ff8e32..c0a922711 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml @@ -14,7 +14,6 @@ modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index 9054932c4..b52c9b8a4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -24,5 +24,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1547.004 - - attack.t1004 # an old one + - attack.t1547.004 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml index dc92e77d1..bd897115e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml @@ -8,7 +8,6 @@ tags: - attack.execution - attack.t1047 - attack.t1059.001 - - attack.t1086 #an old one author: NVISO date: 2020/03/26 modified: 2021/10/16 diff --git a/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml b/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml index 745d8b86d..c16f73005 100755 --- a/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml +++ b/rules/windows/process_access/sysmon_cmstp_execution_by_access.yml @@ -5,10 +5,8 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.t1218.003 - - attack.t1191 # an old one - attack.execution - attack.t1559.001 - - attack.t1175 # an old one - attack.g0069 - attack.g0080 - car.2019-04-001 diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index 9b873293a..b3cf7a362 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -14,7 +14,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 - car.2019-04-004 logsource: diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index acd4cc71c..c8f9d157f 100644 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -12,7 +12,6 @@ tags: - attack.defense_evasion - attack.t1055.001 - attack.t1055.002 - - attack.t1055 # an old one logsource: category: process_access product: windows diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml index 474814818..faf00f958 100755 --- a/rules/windows/process_access/sysmon_invoke_phantom.yml +++ b/rules/windows/process_access/sysmon_invoke_phantom.yml @@ -11,7 +11,6 @@ references: tags: - attack.defense_evasion - attack.t1562.002 - - attack.t1089 # an old one logsource: category: process_access product: windows diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 4eb8b34b2..6bc1708e1 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -10,7 +10,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index cf5b00e42..98abacd62 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -19,12 +19,9 @@ tags: - attack.credential_access - attack.execution - attack.t1003.001 - - attack.t1003 # an old one - attack.t1059.001 - - attack.t1086 # an old one - attack.lateral_movement - attack.t1021.006 - - attack.t1028 # an old one - attack.s0002 falsepositives: - low diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index 11bc6e347..50607b328 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -17,7 +17,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access diff --git a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml index 95341c500..02541dfcd 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml @@ -14,7 +14,6 @@ references: tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - attack.s0002 logsource: category: process_access diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml index 3d9c64bd7..120eaa9c6 100755 --- a/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml @@ -9,7 +9,6 @@ tags: - attack.execution - attack.t1059 - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml index 41af8a48f..a8a32766e 100644 --- a/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml +++ b/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml @@ -9,7 +9,6 @@ tags: - attack.execution - attack.t1059 - attack.lateral_movement - - attack.t1077 # an old one - attack.t1021.002 - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/process_creation_apt_wocao.yml b/rules/windows/process_creation/process_creation_apt_wocao.yml index 46bd50982..8897c3feb 100644 --- a/rules/windows/process_creation/process_creation_apt_wocao.yml +++ b/rules/windows/process_creation/process_creation_apt_wocao.yml @@ -14,13 +14,10 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1036.004 - - attack.t1036 # an old one - attack.t1027 - attack.execution - attack.t1053.005 - - attack.t1053 # an old one - attack.t1059.001 - - attack.t1086 # an old one date: 2019/12/20 modified: 2021/09/19 logsource: diff --git a/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml index 006a75601..e41e4d43e 100644 --- a/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml @@ -13,7 +13,6 @@ modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/process_creation_hack_dumpert.yml b/rules/windows/process_creation/process_creation_hack_dumpert.yml index 4f336d5f3..98602bc2c 100644 --- a/rules/windows/process_creation/process_creation_hack_dumpert.yml +++ b/rules/windows/process_creation/process_creation_hack_dumpert.yml @@ -10,7 +10,6 @@ date: 2020/02/04 modified: 2021/12/08 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml index 6d8556cff..b64fa098d 100644 --- a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml +++ b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml @@ -11,7 +11,6 @@ references: tags: - attack.privilege_escalation - attack.persistence - - attack.t1015 # an old one - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 diff --git a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml index 5fae2a858..ef3327d7d 100644 --- a/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml +++ b/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml @@ -11,7 +11,6 @@ modified: 2021/09/21 tags: - attack.execution - attack.t1059.001 - - attack.t1086 #an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml index a0f16d53e..8ccb98db3 100644 --- a/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml @@ -14,7 +14,6 @@ modified: 2021/09/12 tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1088 # an old one - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/process_creation/process_creation_tool_psexec.yml b/rules/windows/process_creation/process_creation_tool_psexec.yml index a352369a8..a6e7c236e 100644 --- a/rules/windows/process_creation/process_creation_tool_psexec.yml +++ b/rules/windows/process_creation/process_creation_tool_psexec.yml @@ -13,10 +13,8 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 - attack.s0029 - fields: - EventID - CommandLine diff --git a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml index 2a3b27316..e4f571891 100644 --- a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 diff --git a/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml b/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml index 7a27dc2f2..18838b6a6 100644 --- a/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml +++ b/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml @@ -5,7 +5,6 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.execution - - attack.t1191 # an old one - attack.t1218.003 - attack.g0069 - car.2019-04-001 diff --git a/rules/windows/process_creation/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml index 6acf0e58f..6e14818fb 100644 --- a/rules/windows/process_creation/sysmon_hack_wce.yml +++ b/rules/windows/process_creation/sysmon_hack_wce.yml @@ -9,7 +9,6 @@ date: 2019/12/31 modified: 2021/07/15 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.s0005 logsource: diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index b78fef5f9..f56c4d87b 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -27,6 +27,5 @@ falsepositives: - penetration tests, red teaming level: high tags: - - attack.t1037 # an old one - attack.t1037.001 - attack.persistence diff --git a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml index 7da6f41fd..637858fba 100644 --- a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml @@ -10,15 +10,12 @@ references: tags: - attack.persistence - attack.g0049 - - attack.t1053 # an old one - attack.t1053.005 - attack.s0111 - - attack.t1050 # an old one - attack.t1543.003 - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 86145e21a..b1c55d0e3 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -25,6 +25,4 @@ level: critical tags: - attack.execution - attack.g0016 - - attack.t1086 # an old one - - attack.t1059 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml index 964fdd165..fcc4833e3 100644 --- a/rules/windows/process_creation/win_apt_babyshark.yml +++ b/rules/windows/process_creation/win_apt_babyshark.yml @@ -22,13 +22,9 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059 # an old one - - attack.t1086 # an old one - attack.t1059.003 - attack.t1059.001 - attack.discovery - attack.t1012 - attack.defense_evasion - - attack.t1170 # an old one - - attack.t1218 # an old one - attack.t1218.005 diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index c78bea144..8c97666b9 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -32,7 +32,5 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1081 # an old one - - attack.t1003 # an old one - attack.t1552.001 - attack.t1003.003 diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index 79e714806..d2e7160a0 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -24,5 +24,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1117 # an old one - attack.t1218.010 diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 417f1e5e9..0134a29c8 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -26,5 +26,4 @@ level: critical tags: - attack.execution - attack.g0045 - - attack.t1064 # an old one - attack.t1059.005 diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index 4ee34b3c6..3b6b90888 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -25,5 +25,4 @@ tags: - attack.g0050 - attack.s0081 - attack.execution - - attack.t1059 # an old one - attack.t1059.003 diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml index de8445e1d..9cda75656 100644 --- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 5590dd0df..fd3b97578 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -24,4 +24,3 @@ level: critical tags: - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 239bec27a..371c521ec 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -25,5 +25,4 @@ level: critical tags: - attack.g0020 - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml index 2d859fc06..bf606f567 100644 --- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index 6a1b7e668..bf6de5e1d 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -11,11 +11,9 @@ tags: - attack.g0049 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one - attack.command_and_control - attack.t1105 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index 4ac634838..c7606ca3c 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -31,8 +31,6 @@ tags: - attack.lateral_movement - attack.g0010 - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.exfiltration - - attack.t1002 # an old one - attack.t1560.001 diff --git a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml index ab2c43ff3..5de08498b 100644 --- a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml @@ -29,5 +29,4 @@ level: critical tags: - attack.g0004 - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 53f793c7f..e9f887454 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.005 diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index e0975073f..cd57ea865 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -12,10 +12,8 @@ references: tags: - attack.g0007 - attack.execution - - attack.t1059 # an old one - attack.t1059.003 - attack.defense_evasion - - attack.t1085 # an old one - car.2013-10-002 - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml index f337f4580..5de827af1 100755 --- a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml @@ -20,6 +20,5 @@ level: high tags: - attack.defense_evasion - attack.g0035 - - attack.t1036 # an old one - attack.t1036.003 - car.2013-05-009 diff --git a/rules/windows/process_creation/win_apt_taidoor.yml b/rules/windows/process_creation/win_apt_taidoor.yml index 3115b3104..7edbbc58c 100644 --- a/rules/windows/process_creation/win_apt_taidoor.yml +++ b/rules/windows/process_creation/win_apt_taidoor.yml @@ -27,5 +27,4 @@ falsepositives: level: critical tags: - attack.execution - - attack.t1055 # an old one - attack.t1055.001 diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 70dcfd75e..3f99ef284 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -9,7 +9,6 @@ references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ tags: - attack.execution - - attack.t1059 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index 308d6f6b3..62e7b5c46 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -27,8 +27,6 @@ level: critical tags: - attack.g0010 - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - - attack.t1053 # an old one - attack.t1053.005 - attack.t1027 diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 9b9924582..269487c32 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -11,7 +11,6 @@ modified: 2021/09/19 tags: - attack.execution - attack.t1218.011 - - attack.t1085 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index 595829255..95b7e5160 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -34,5 +34,4 @@ level: critical tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 3a4d55978..2df79a775 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -28,5 +28,4 @@ level: critical tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index b28bdae32..d47b54577 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -27,9 +27,7 @@ level: critical tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one - attack.s0412 - attack.g0001 diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index f25853f7e..a06d44563 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -30,4 +30,3 @@ level: low tags: - attack.defense_evasion - attack.t1564.001 - - attack.t1158 # an old one diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index f3f2deefb..ed0ee3f1d 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,6 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 9d7154328..6cb0289af 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -38,4 +38,3 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index 39ead0991..aebb33e3d 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -31,4 +31,3 @@ level: low tags: - attack.persistence - attack.t1546.001 - - attack.t1042 # an old one diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index 4d8a91334..6bc458264 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -11,7 +11,6 @@ modified: 2021/07/07 tags: - attack.credential_access - attack.t1003.005 - - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 7a12cc4a4..8fc6974f8 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -7,9 +7,7 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one - attack.t1218.003 - - attack.t1191 # an old one - attack.g0069 - car.2019-04-001 author: Nik Seetharaman, Christian Burkard diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 65790fd31..60b22b197 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -24,4 +24,3 @@ level: high tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 4c7d6f778..f99241c94 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -32,6 +32,5 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218.002 - - attack.t1196 # an old one - attack.persistence - attack.t1546 diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml index 8a73e1118..2d41fb2ef 100644 --- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -38,6 +38,5 @@ tags: - attack.credential_access - attack.t1003.002 - attack.t1003.003 - - attack.t1003 # an old one - car.2013-07-001 - attack.s0404 diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml index c67033c10..8d361c2c1 100644 --- a/rules/windows/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -10,7 +10,6 @@ references: - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter tags: - attack.credential_access - - attack.t1174 # an old one - attack.t1556.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index 1b4bfd5c4..956047838 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -27,4 +27,3 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218.011 - - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml index 8f8be3398..335b05c1c 100644 --- a/rules/windows/process_creation/win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -12,7 +12,6 @@ modified: 2021/06/27 tags: - attack.execution - attack.t1204.002 - - attack.t1204 # an old one - attack.t1047 - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index 5f773d70e..f5d8fea51 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -28,7 +28,5 @@ falsepositives: - Highly likely if rar is a default archiver in the monitored environment. level: low tags: - - attack.exfiltration # an old one - - attack.t1002 # an old one - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 6d32387c5..e64b59455 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -19,9 +19,6 @@ level: high tags: - attack.exfiltration - attack.t1048.001 - - attack.t1048 # an old one - attack.command_and_control - attack.t1071.004 - - attack.t1071 # an old one - attack.t1132.001 - - attack.t1132 # an old one diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index cf8eab19a..2fe209a11 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -23,4 +23,3 @@ tags: - attack.t1140 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index ce729589d..29310e995 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -25,4 +25,3 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index e8bdeabe3..6168319ef 100644 --- a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -22,7 +22,6 @@ level: medium tags: - attack.exfiltration - attack.command_and_control - - attack.t1043 # an old one - attack.t1041 - attack.t1572 - attack.t1071.001 diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index 058135789..46c3fd96f 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -22,4 +22,3 @@ level: critical tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 6f646ada8..366161d87 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -22,7 +22,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 97816d3eb..e18716b04 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -24,7 +24,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 9462de4c8..cdcb80633 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -23,7 +23,5 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index f3bf0b305..25bd0ce55 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -34,6 +34,5 @@ tags: - attack.t1068 - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.t1574 - cve.2019.1378 diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index db2fbb2fd..f3e13062d 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -27,8 +27,6 @@ tags: - attack.t1190 - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.t1059.003 - - attack.t1059 # an old one - attack.s0190 - cve.2020.10189 diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml index 1cf672143..99e1ac1cb 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml @@ -30,4 +30,3 @@ tags: - attack.persistence - attack.execution - attack.t1059.001 - - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 15e2bb975..6d031b2cd 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -29,5 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1222.001 - - attack.t1222 # an old one + - attack.t1222.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index ea2d0dcd9..f57aab90e 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -48,5 +48,4 @@ tags: - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 - - attack.t1003 # an old one - car.2013-07-001 diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 3288e0325..5348ee4dc 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -38,11 +38,8 @@ tags: - attack.discovery - attack.t1087.001 - attack.t1087.002 - - attack.t1087 # an old one - attack.t1482 - attack.t1069.001 - attack.t1069.002 - - attack.t1069 # an old one - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 00c8a6457..de808b09f 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -29,7 +29,5 @@ level: high tags: - attack.execution - attack.t1059.003 - - attack.t1059 # an old one - attack.t1059.005 - - attack.t1059.007 - - attack.t1064 # an old one + - attack.t1059.007 \ No newline at end of file diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 0d2a8a8ea..2f2be0485 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -33,7 +33,5 @@ tags: - attack.credential_access - attack.t1003 - attack.t1558.003 - - attack.t1558 # an old one - attack.lateral_movement - attack.t1550.003 - - attack.t1097 # an old one diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index 3555ed2db..269387b78 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -11,8 +11,6 @@ modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 - - attack.t1003 # an old one - - attack.t1503 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 21ee36e10..31d4db1ec 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -25,6 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1218.001 - - attack.execution # an old one - - attack.t1223 # an old one + - attack.t1218.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 04c9f49ab..c02a938e3 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -8,7 +8,6 @@ date: 2020/21/04 modified: 2021/06/11 author: Sreeman tags: - - attack.t1064 - attack.t1211 - attack.t1059 - attack.defense_evasion diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index a54f7b140..6f8fea711 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -10,7 +10,6 @@ modified: 2021/09/19 tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_html_help_spawn.yml b/rules/windows/process_creation/win_html_help_spawn.yml index 971bfb366..6eb7b0667 100644 --- a/rules/windows/process_creation/win_html_help_spawn.yml +++ b/rules/windows/process_creation/win_html_help_spawn.yml @@ -34,7 +34,6 @@ tags: - attack.t1218.010 - attack.t1218.011 - attack.execution - - attack.t1223 # an old one - attack.t1059.001 - attack.t1059.003 - attack.t1059.005 diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index 9a7d4c55f..5c34f31f4 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -25,9 +25,7 @@ level: high tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one - attack.execution - attack.t1203 - attack.t1059.003 - - attack.t1059 # an old one - attack.g0032 diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index 0d9c18037..455a6010d 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -64,6 +64,4 @@ tags: - attack.execution - attack.t1047 - attack.lateral_movement - - attack.t1175 # an old one - attack.t1021.003 - - attack.t1021 # an old one diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index 2e1c00d3b..c58de2186 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -30,4 +30,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.008 - - attack.t1015 # an old one diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index b3f8beed9..dc70e52e8 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -26,4 +26,3 @@ level: high tags: - attack.privilege_escalation - attack.t1053.002 - - attack.t1053 # an old one diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index 8eaa326ba..13908f26f 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -28,4 +28,3 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 - - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index c342fe36a..dcfde00a4 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -21,5 +21,3 @@ level: high tags: - attack.defense_evasion - attack.t1218.005 - - attack.execution # an old one - - attack.t1170 # an old one diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index c413f4987..27c50a03e 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -62,4 +62,3 @@ tags: - attack.discovery - attack.t1033 - attack.t1087.001 - - attack.t1087 # an old one diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml index 447057246..c06734aac 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -10,7 +10,6 @@ modified: 2021/06/11 tags: - attack.defense_evasion - attack.execution - - attack.t1085 # an old one - attack.t1218.011 logsource: product: windows diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 9860bfa66..92b8e8fc5 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -34,4 +34,3 @@ level: high tags: - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 35a24f5a2..b777f363a 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -12,7 +12,6 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml index e0f748816..a005aad69 100644 --- a/rules/windows/process_creation/win_malware_emotet.yml +++ b/rules/windows/process_creation/win_malware_emotet.yml @@ -8,7 +8,6 @@ modified: 2021/11/29 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.defense_evasion - attack.t1027 references: diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 1401ee4b8..1f6d68412 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -33,11 +33,7 @@ level: critical tags: - attack.defense_evasion - attack.t1218.011 - - attack.execution # an old one - - attack.t1085 # an old one - attack.t1070.001 - - attack.t1070 # an old one - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - car.2016-04-002 diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml index 5e6554068..812ee0c66 100644 --- a/rules/windows/process_creation/win_malware_qbot.yml +++ b/rules/windows/process_creation/win_malware_qbot.yml @@ -8,8 +8,6 @@ modified: 2021/01/25 tags: - attack.execution - attack.t1059.005 - - attack.defense_evasion # an old one - - attack.t1064 # an old one references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ diff --git a/rules/windows/process_creation/win_malware_ryuk.yml b/rules/windows/process_creation/win_malware_ryuk.yml index d5a013d24..0505a7518 100644 --- a/rules/windows/process_creation/win_malware_ryuk.yml +++ b/rules/windows/process_creation/win_malware_ryuk.yml @@ -25,4 +25,3 @@ level: critical tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 991f5f3a1..7457d8f48 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -37,5 +37,3 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.defense_evasion # an old one - - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 5498fac78..b9bc99598 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -58,7 +58,6 @@ tags: - attack.t1083 - attack.defense_evasion - attack.t1222.001 - - attack.t1222 # an old one - attack.impact - attack.t1486 - attack.t1490 diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index a1ceeef7a..465d9c9de 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -20,6 +20,5 @@ falsepositives: - unknown level: critical tags: - - attack.t1055 # an old one - attack.t1055.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index f7fe4b4bf..59be92668 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -10,7 +10,6 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index c876678d4..4ba3573a8 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -10,7 +10,6 @@ date: 2019/10/22 modified: 2021/12/20 tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/process_creation/win_mmc20_lateral_movement.yml b/rules/windows/process_creation/win_mmc20_lateral_movement.yml index 4a2128d2f..87f5f84ab 100644 --- a/rules/windows/process_creation/win_mmc20_lateral_movement.yml +++ b/rules/windows/process_creation/win_mmc20_lateral_movement.yml @@ -22,5 +22,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1175 # an old one - attack.t1021.003 diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index a5718cb6b..1d5e81243 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -33,5 +33,4 @@ fields: level: high tags: - attack.lateral_movement - - attack.t1175 # an old one - attack.t1021.003 diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml index 7b146ad29..f818a52a8 100644 --- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -6,9 +6,7 @@ references: status: experimental tags: - attack.persistence - - attack.t1031 # an old one - attack.t1543.003 - - attack.t1058 # an old one - attack.t1574.011 author: Sreeman date: 2020/09/29 diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 2c178ca7e..6a83af5e9 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1170 # an old one - attack.t1218.005 diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 2bdbff9c6..3d47a06ee 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -35,7 +35,6 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1170 # an old one - attack.t1218.005 - car.2013-02-003 - car.2013-03-001 diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index fe8e125f4..b20d4c064 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -30,5 +30,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index 1bef8de86..c875ca215 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -29,5 +29,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index 82a419946..4dc66d7ef 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -24,5 +24,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml index d8abf36bc..f20dced4e 100644 --- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml @@ -57,5 +57,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.004 diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index 93134c22e..7182f6f9c 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -25,5 +25,4 @@ level: low tags: - attack.persistence - attack.privilege_escalation - - attack.t1050 # an old one - attack.t1543.003 diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 68cb6815d..c772b686b 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index e06da5ede..c71a80191 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -52,5 +52,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index fbb81445b..c920f4450 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -7,7 +7,6 @@ references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign tags: - attack.execution - - attack.t1204 # an old one - attack.t1204.002 - attack.g0046 - car.2013-05-002 diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index b49d01714..541f37f4c 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -93,5 +93,4 @@ level: high tags: - attack.s0013 - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 604cf1171..8f0583ae3 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -31,12 +31,8 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1118 # an old one - attack.t1218.004 - - attack.t1121 # an old one - attack.t1218.009 - - attack.t1127 # an old one - attack.t1127.001 - - attack.t1170 # an old one - attack.t1218.005 - attack.t1218 # no way to map 1:1, so the technique level is required diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml index 8c0411ff2..d8a7dae29 100755 --- a/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml +++ b/rules/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml @@ -6,7 +6,6 @@ references: - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ tags: - attack.privilege_escalation - - attack.t1058 # an old one - attack.t1574.011 status: experimental author: Teymur Kheirkhabarov diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 09998eae9..2c58a5c20 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -24,5 +24,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index f9cdc7643..3daa30895 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -11,7 +11,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 4fc137225..befce328c 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -27,5 +27,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml index 70e0f1d72..856abdef9 100644 --- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml @@ -31,5 +31,4 @@ level: medium tags: - attack.defense_evasion - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 37b1e3235..f68352373 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -26,6 +26,5 @@ falsepositives: - unknown level: medium tags: - - attack.t1086 # an old one - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml index 06cee06aa..58199e0fa 100644 --- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -10,7 +10,6 @@ date: 2021/03/03 modified: 2021/06/27 tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index cdbf19a7c..2727ed012 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -61,5 +61,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index c09ec56b0..7b42b8dd9 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1086 # an old one - attack.t1059.001 - attack.t1140 - attack.t1027 diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index 32304fcde..4b13c0cca 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -38,8 +38,6 @@ tags: - attack.execution - attack.persistence - attack.privilege_escalation - - attack.t1053 # an old one - - attack.t1086 # an old one - attack.s0111 - attack.g0022 - attack.g0060 diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index cc7e331b6..d4040c6ab 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -12,7 +12,6 @@ date: 2019/02/23 modified: 2021/11/24 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 - attack.t1036.005 logsource: diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index c261b918a..9bacedfbd 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -13,7 +13,6 @@ tags: - attack.defense_evasion - attack.t1036 - attack.credential_access - - attack.t1003 # an old one - car.2013-05-009 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index c854fac36..78252d478 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -17,6 +17,5 @@ falsepositives: level: low tags: - attack.execution - - attack.t1035 # an old one - attack.s0029 - attack.t1569.002 diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml index 27e8145f1..f4e243d03 100644 --- a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -26,7 +26,6 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1059 # an old one - attack.t1106 - attack.t1059.003 - attack.t1218.011 diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 64886809f..918ecf848 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -9,7 +9,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - - attack.t1086 # an old one - attack.t1059.001 - attack.t1021.006 logsource: diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 0f827f6d0..67777f2f1 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -65,5 +65,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index 9bdd3dfa4..7985b931c 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -49,5 +49,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml index 6c207f7ba..46e925dcd 100644 --- a/rules/windows/process_creation/win_renamed_jusched.yml +++ b/rules/windows/process_creation/win_renamed_jusched.yml @@ -25,5 +25,4 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index 8213ed3fe..02c8e11b8 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -29,7 +29,6 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 - attack.g0046 - car.2013-05-009 diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml index 59633afe4..3f6dfa2b4 100644 --- a/rules/windows/process_creation/win_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -10,7 +10,6 @@ modified: 2021/07/03 tags: - car.2013-05-009 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index 88783c5d7..843aa8c3e 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -9,7 +9,6 @@ date: 2019/11/18 modified: 2021/08/16 tags: - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml index 9301e549c..5ab16c728 100644 --- a/rules/windows/process_creation/win_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -26,5 +26,4 @@ level: high tags: - car.2013-05-009 - attack.defense_evasion - - attack.t1036 # an old one - attack.t1036.003 diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml index 236e6441a..1e3a8da04 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1096 # an old one - attack.t1564.004 diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index c688f5fa9..e1113ee4b 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -8,7 +8,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.011 - - attack.t1138 # an old one author: Markus Neis date: 2019/01/16 modified: 2021/08/14 diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 5fc3a2a35..9b350bdda 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -22,5 +22,4 @@ falsepositives: level: low tags: - attack.execution - - attack.t1035 # an old one - attack.t1569.002 diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml index bfff03645..b2b8b1b67 100644 --- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml @@ -21,6 +21,5 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/process_creation/win_shell_spawn_mshta.yml b/rules/windows/process_creation/win_shell_spawn_mshta.yml index d77e607c1..9bc718927 100644 --- a/rules/windows/process_creation/win_shell_spawn_mshta.yml +++ b/rules/windows/process_creation/win_shell_spawn_mshta.yml @@ -10,7 +10,6 @@ date: 2021/06/28 tags: - attack.execution - attack.defense_evasion - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index b215a6ab5..bd5146fed 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -39,7 +39,6 @@ level: high tags: - attack.execution - attack.defense_evasion - - attack.t1064 # an old one - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index e88cda05d..1f818c290 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -26,4 +26,3 @@ level: medium tags: - attack.credential_access - attack.t1558.003 - - attack.t1208 # an old one diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index fc9cb34de..212852fa1 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -9,7 +9,6 @@ date: 2020/02/18 modified: 2022/01/11 author: Sreeman tags: - - attack.t1015 # an old one - attack.t1546.008 - attack.privilege_escalation logsource: diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index b6c580934..1e2238e94 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -13,7 +13,6 @@ tags: - attack.t1070 - attack.persistence - attack.t1542.003 - - attack.t1067 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml index 79e852bb6..b8405479e 100644 --- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -33,5 +33,4 @@ falsepositives: level: high tags: - attack.privilege_escalation - - attack.t1134 # an old one - attack.t1134.002 diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index ceb84518a..6aefefbfe 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -32,6 +32,3 @@ level: high tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1020 # an old one - - attack.t1002 # an old one diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index c25161a86..f5d59fe57 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -33,4 +33,3 @@ tags: - attack.t1218.011 - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index a435db36c..d39c81233 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -25,5 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1085 # an old one - attack.t1218.011 diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 37a2d98d3..d133ba198 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -42,6 +42,5 @@ tags: - attack.collection - attack.exfiltration - attack.t1039 - - attack.t1105 # an old one - attack.t1048 - attack.t1021.002 diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index a7900d6a3..e1c9bd854 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -32,5 +32,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1059.001 - - attack.t1564.003 - - attack.t1086 # an old one + - attack.t1564.003 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index 9a5f1afb3..8b2ae8d21 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -11,7 +11,6 @@ tags: - attack.t1059.003 - attack.t1059.001 - attack.s0106 - - attack.t1086 # an old one author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 587425522..aa1c2aef0 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -36,5 +36,3 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1027.005 - - attack.t1027 # an old one - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 68b300326..eb15b5628 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -26,6 +26,5 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.defense_evasion - - attack.t1500 # an old one - attack.t1218.005 - attack.t1027.004 diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 96ff5178b..3fbae6f32 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -12,7 +12,6 @@ date: 2019/08/24 modified: 2021/02/01 tags: - attack.defense_evasion - - attack.t1500 # an old one - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml index e758f6315..30deb267c 100644 --- a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml @@ -30,4 +30,3 @@ level: high tags: - attack.defense_evasion - attack.t1055.001 - - attack.t1055 # an old one diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml index f8d0c8f9f..9b2ab10a9 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -21,5 +21,4 @@ falsepositives: level: critical tags: - attack.defense_evasion - - attack.t1218 - - attack.execution # an old one + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 1333585a3..ba1ad00df 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -37,4 +37,3 @@ level: medium tags: - attack.persistence - attack.t1547.001 - - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_susp_disable_ie_features.yml b/rules/windows/process_creation/win_susp_disable_ie_features.yml index 96cb4a40a..a7a95326e 100644 --- a/rules/windows/process_creation/win_susp_disable_ie_features.yml +++ b/rules/windows/process_creation/win_susp_disable_ie_features.yml @@ -30,4 +30,3 @@ level: high tags: - attack.defense_evasion - attack.t1562.001 - - attack.t1089 # an old one diff --git a/rules/windows/process_creation/win_susp_ditsnap.yml b/rules/windows/process_creation/win_susp_ditsnap.yml index d5ed9858c..899c82581 100644 --- a/rules/windows/process_creation/win_susp_ditsnap.yml +++ b/rules/windows/process_creation/win_susp_ditsnap.yml @@ -25,4 +25,3 @@ level: high tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 24ae43496..447355b3a 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1027.004 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index d14cf33a6..ea3f5a4e1 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -32,4 +32,3 @@ level: critical tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 1fe56e4ed..31a2e2bef 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index b2d6bc67a..a0ddf9485 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -37,5 +37,4 @@ level: high tags: - attack.defense_evasion - attack.t1070.001 - - attack.t1070 # an old one - car.2016-04-002 diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index 9e1ad907d..8f63d9810 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -32,4 +32,3 @@ level: medium tags: - attack.persistence - attack.t1505.003 - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml index 7bfd6a159..b140f479a 100644 --- a/rules/windows/process_creation/win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -11,8 +11,6 @@ modified: 2021/06/27 tags: - attack.execution - attack.t1059.006 - - attack.defense_evasion # an old one - - attack.t1064 # an old one logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 5751fdad8..4d09b1602 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -26,4 +26,3 @@ level: high tags: - attack.defense_evasion - attack.t1574.002 - - attack.t1073 # an old one diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 941506213..afb95cec6 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -24,4 +24,3 @@ level: medium tags: - attack.persistence - attack.t1505.003 - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml index 9d22cc0af..e2ede2aeb 100644 --- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml @@ -25,4 +25,3 @@ level: high tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index dee88ff69..8327351a0 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -20,4 +20,3 @@ level: medium tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index 1bb004701..5dd9e0c24 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -27,5 +27,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218.008 - - attack.execution # an old one - - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml index bff1cf575..92bcf7e23 100644 --- a/rules/windows/process_creation/win_susp_openwith.yml +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -22,4 +22,3 @@ level: high tags: - attack.defense_evasion - attack.t1218 - - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index 2059eb01a..6124d0ec2 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -8,7 +8,6 @@ modified: 2021/06/27 tags: - attack.initial_access - attack.t1566.001 - - attack.t1193 #an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml index 38ebf22eb..88c8c7bc2 100644 --- a/rules/windows/process_creation/win_susp_pcwutl.yml +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -24,5 +24,3 @@ level: medium tags: - attack.defense_evasion - attack.t1218.011 - - attack.execution # an old one - - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 9d4a166a7..f8ed94c4f 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -29,4 +29,3 @@ level: critical tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index 194fb3f6d..eab62357c 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -27,5 +27,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one - car.2019-04-001 diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 760907af5..c54e1962a 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -10,7 +10,6 @@ modified: 2021/03/02 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml index 8a47cb294..f097432ae 100644 --- a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml +++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml @@ -20,6 +20,5 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 7d449f116..ffdd8aded 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -71,4 +71,3 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 3a70cb1e3..f11b4433a 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -29,4 +29,3 @@ level: medium tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index 9d379112e..ec85223dd 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -57,4 +57,3 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml index 299ed2930..8efcfe570 100644 --- a/rules/windows/process_creation/win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml @@ -11,8 +11,7 @@ tags: - attack.defense_evasion - attack.t1036 - attack.credential_access - - attack.t1003.001 - - attack.t1003 # an old one + - attack.t1003.001 - car.2013-05-009 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index 18bbbbebb..1a19bc555 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,7 +8,6 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/09 modified: 2021/11/28 diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml index b6b71035f..d6ab62278 100644 --- a/rules/windows/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml @@ -23,7 +23,6 @@ level: high tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.command_and_control - attack.t1104 - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml index b4a58ce1d..7055b8ae2 100644 --- a/rules/windows/process_creation/win_susp_rar_flags.yml +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -12,8 +12,6 @@ modified: 2021/07/27 tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 86a20dd25..bf1f81614 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -22,4 +22,3 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059 - - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml index 8712392b9..ec29da6a7 100644 --- a/rules/windows/process_creation/win_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -12,7 +12,6 @@ tags: - attack.discovery - attack.t1087.001 - attack.t1087.002 - - attack.t1087 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 0e98a9e1f..41133d360 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -11,8 +11,6 @@ references: tags: - attack.defense_evasion - attack.t1218.010 - - attack.execution # an old one - - attack.t1117 # an old one - car.2019-04-002 - car.2019-04-003 logsource: diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml index fea242d3d..03d3ccf4f 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -26,4 +26,3 @@ level: high tags: - attack.defense_evasion - attack.t1218.010 - - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 5c9525cad..76bdf7c29 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -74,6 +74,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.execution # an old one - attack.t1218.011 - - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 367971c00..799053628 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -8,9 +8,7 @@ references: - https://twitter.com/cyb3rops/status/1186631731543236608 tags: - attack.defense_evasion - - attack.execution # an old one - attack.t1218.011 - - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 modified: 2021/12/08 diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index bc671f4cf..ecb3d7a8e 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -25,7 +25,6 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1053.005 - - attack.t1053 # an old one - attack.s0111 - car.2013-08-001 falsepositives: diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 4b52d2493..9b011d35f 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -29,4 +29,4 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.t1064 # an old one + diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index 116b6c54a..733b00059 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -31,4 +31,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 - - attack.t1031 # an old one diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 11c66ddbc..8217e0459 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -6,7 +6,6 @@ author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2021/06/27 tags: - - attack.t1100 # an old one - attack.t1505.003 - attack.t1190 - attack.initial_access diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index af0cdb025..33755d48f 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -5,7 +5,6 @@ description: Detects a suspicious svchost process start tags: - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one author: Florian Roth date: 2017/08/15 modified: 2021/12/03 diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 4c62a63c3..c48a543f1 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -23,4 +23,3 @@ level: medium tags: - attack.credential_access - attack.t1552.006 - - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index c7e82c10a..0a90bd343 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -21,6 +21,5 @@ level: high tags: - attack.lateral_movement - attack.t1563.002 - - attack.t1076 # an old one - attack.t1021.001 - car.2013-07-002 diff --git a/rules/windows/process_creation/win_susp_winrar_dmp.yml b/rules/windows/process_creation/win_susp_winrar_dmp.yml index 450a62401..26acf49b3 100644 --- a/rules/windows/process_creation/win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/win_susp_winrar_dmp.yml @@ -6,11 +6,6 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth date: 2022/01/04 -tags: - - attack.collection - - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows @@ -25,4 +20,7 @@ detection: condition: selection and dumpfile falsepositives: - Legitimate use of WinRAR with a command line in which .dmp appears incidentally -level: high \ No newline at end of file +level: high +tags: + - attack.collection + - attack.t1560.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_winrar_execution.yml b/rules/windows/process_creation/win_susp_winrar_execution.yml index f7f0bbb6f..3f65047b3 100644 --- a/rules/windows/process_creation/win_susp_winrar_execution.yml +++ b/rules/windows/process_creation/win_susp_winrar_execution.yml @@ -10,8 +10,6 @@ modified: 2021/11/22 tags: - attack.collection - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1002 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index e45421438..79b05e66a 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -13,8 +13,6 @@ tags: - attack.persistence - attack.execution - attack.t1574.002 - - attack.t1059 # an old one - - attack.t1064 # an old one logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index 8e731a03d..fcf0bf8be 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -30,5 +30,3 @@ tags: - attack.defense_evasion - attack.t1548.002 - attack.t1218.003 - - attack.t1191 # an old one - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index 2e11331ae..22dcb8137 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -25,4 +25,3 @@ level: high tags: - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index 948c66174..877ffb1b4 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -22,4 +22,3 @@ level: high tags: - attack.privilege_escalation - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 5b06496a8..fea0fc749 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -14,8 +14,6 @@ tags: - attack.t1018 - attack.t1033 - attack.t1087 - - attack.privilege_escalation # an old one - - attack.t1100 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml index 1686926ee..6ae3785b5 100644 --- a/rules/windows/process_creation/win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/win_webshell_recon_detection.yml @@ -39,5 +39,3 @@ level: high tags: - attack.persistence - attack.t1505.003 - - attack.privilege_escalation # an old one - - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 762ee4c21..e1d133705 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -34,5 +34,4 @@ level: high tags: - attack.persistence - attack.t1505.003 - - attack.privilege_escalation # an old one - attack.t1190 diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 8bdca5328..5627d30b2 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -25,5 +25,4 @@ level: high tags: - attack.privilege_escalation - attack.t1053.005 - - attack.t1053 # an old one - car.2013-08-001 diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index d7a084782..672859839 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -21,4 +21,3 @@ level: critical tags: - attack.persistence - attack.t1546.003 - - attack.t1084 # an old one diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml index 2f6e315fe..d0ce675cc 100644 --- a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -22,4 +22,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.003 - - attack.t1047 # an old one diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index 90a71de04..90b422eab 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -8,12 +8,6 @@ references: author: Markus Neis / @Karneades date: 2019/04/03 modified: 2021/02/24 -tags: - - attack.execution - - attack.t1047 - - attack.t1059.001 - - attack.defense_evasion # an old one - - attack.t1064 # an old one logsource: category: process_creation product: windows @@ -32,3 +26,7 @@ falsepositives: - AppvClient - CCM level: high +tags: + - attack.execution + - attack.t1047 + - attack.t1059.001 \ No newline at end of file diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml index 52d386477..612ecd044 100644 --- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml @@ -26,4 +26,3 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1548.002 - - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index de22303eb..b861ce72e 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -35,4 +35,3 @@ level: medium tags: - attack.defense_evasion - attack.t1220 - - attack.execution # an old one diff --git a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml index 7378e096c..36a523e37 100644 --- a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml @@ -7,19 +7,6 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -tags: - - attack.persistence - - attack.g0049 - - attack.t1053 # an old one - - attack.t1053.005 - - attack.s0111 - - attack.t1050 # an old one - - attack.t1543.003 - - attack.defense_evasion - - attack.t1112 - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 date: 2018/03/23 modified: 2021/09/19 author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community @@ -34,4 +21,14 @@ detection: condition: selection_reg1 falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical +tags: + - attack.persistence + - attack.g0049 + - attack.t1053.005 + - attack.s0111 + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071.004 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index 5c95188e2..cc6bcbd94 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -14,7 +14,6 @@ references: status: experimental tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry_event/registry_event_defender_exclusions.yml b/rules/windows/registry_event/registry_event_defender_exclusions.yml index 1840ff84f..863ce5553 100644 --- a/rules/windows/registry_event/registry_event_defender_exclusions.yml +++ b/rules/windows/registry_event/registry_event_defender_exclusions.yml @@ -12,7 +12,6 @@ references: status: test tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml index fc25febc7..938a1f7c1 100755 --- a/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -10,7 +10,6 @@ modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/registry_event/registry_event_mal_adwind.yml b/rules/windows/registry_event/registry_event_mal_adwind.yml index 1cc8bfc66..7c4060d17 100644 --- a/rules/windows/registry_event/registry_event_mal_adwind.yml +++ b/rules/windows/registry_event/registry_event_mal_adwind.yml @@ -11,11 +11,6 @@ references: author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 modified: 2022/01/13 -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 - - attack.t1064 # an old one logsource: category: registry_event product: windows @@ -26,3 +21,7 @@ detection: Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection level: high +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml index 8f5c2b1bf..597e33ad0 100644 --- a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml @@ -9,7 +9,6 @@ date: 2018/03/20 modified: 2021/09/21 tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 logsource: diff --git a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml index 595145857..7a542b20e 100755 --- a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml @@ -5,13 +5,6 @@ description: Detects the usage and installation of a backdoor that uses an optio status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1015 # an old one - - attack.t1546.008 - - car.2014-11-003 - - car.2014-11-008 author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 modified: 2021/09/12 @@ -30,4 +23,10 @@ detection: condition: selection_registry falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1546.008 + - car.2014-11-003 + - car.2014-11-008 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml index 01603e588..bb1ad8524 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -8,12 +8,6 @@ references: author: Florian Roth date: 2017/03/19 modified: 2021/09/12 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 # an old one - - attack.t1548.002 - - car.2019-04-001 logsource: product: windows category: registry_event @@ -25,3 +19,8 @@ detection: falsepositives: - unknown level: critical +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_apt_leviathan.yml b/rules/windows/registry_event/sysmon_apt_leviathan.yml index c32419187..26311a8cc 100644 --- a/rules/windows/registry_event/sysmon_apt_leviathan.yml +++ b/rules/windows/registry_event/sysmon_apt_leviathan.yml @@ -4,10 +4,6 @@ status: experimental description: Detects registry key used by Leviathan APT in Malaysian focused campaign references: - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 author: Aidan Bracher date: 2020/07/07 modified: 2021/09/13 @@ -19,3 +15,6 @@ detection: TargetObject: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd' condition: selection level: critical +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 65923ce35..0eba0db70 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -6,10 +6,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys -tags: - - attack.persistence - - attack.t1547.001 - - attack.t1060 # an old one date: 2019/10/25 modified: 2021/12/05 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton @@ -215,3 +211,6 @@ fields: falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml b/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml index 10c7f0b17..782a2365c 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml @@ -2,13 +2,6 @@ title: CMSTP Execution Registry Event id: b6d235fc-1d38-4b12-adbe-325f06728f37 status: stable description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -tags: - - attack.defense_evasion - - attack.execution - - attack.t1191 # an old one - - attack.t1218.003 - - attack.g0069 - - car.2019-04-001 author: Nik Seetharaman date: 2018/07/16 modified: 2020/12/23 @@ -28,3 +21,9 @@ detection: selection: TargetObject|contains: '\cmmgr32.exe' condition: selection +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.003 + - attack.g0069 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml index da3724582..99fb16bc1 100755 --- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml @@ -23,6 +23,5 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index fd49c8429..8adfe4acc 100755 --- a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -28,6 +28,5 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1089 # an old one - attack.t1562.001 - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 8d127a5ee..884564b3e 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -19,6 +19,5 @@ falsepositives: level: critical tags: - attack.credential_access - - attack.t1003 # an old one - attack.t1003.001 - attack.s0005 diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index e8302dd00..51cdc34d6 100644 --- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -19,7 +19,6 @@ falsepositives: - penetration tests, red teaming level: high tags: - - attack.t1037 # an old one - attack.t1037.001 - attack.persistence - attack.lateral_movement diff --git a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml index 2e07a2d8c..fb729a92c 100755 --- a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml @@ -22,5 +22,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 1c4d405b0..2e4d32e44 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -28,5 +28,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1182 # an old one - attack.t1546.009 diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index e54f396b2..df6b7b4d8 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -5,10 +5,6 @@ description: DLLs that are specified in the AppInit_DLLs value in the Registry k into every process that loads user32.dll references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html -tags: - - attack.persistence - - attack.t1103 # an old one - - attack.t1546.010 author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019/10/25 modified: 2021/11/11 @@ -35,3 +31,6 @@ fields: falsepositives: - Unknown level: medium +tags: + - attack.persistence + - attack.t1546.010 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2e2d8bef6..0a5a3fb67 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -7,10 +7,6 @@ references: author: Kutepov Anton, oscd.community date: 2019/10/23 modified: 2021/09/17 -tags: - - attack.persistence - - attack.t1122 # an old one - - attack.t1546.015 logsource: category: registry_event product: windows @@ -25,3 +21,6 @@ detection: falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium +tags: + - attack.persistence + - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml index 15b607a3e..1ab4d22be 100755 --- a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml +++ b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml @@ -20,5 +20,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1193 # an old one - attack.t1566.001 diff --git a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml index 4a2d3bb86..03ff9e243 100755 --- a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml +++ b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml @@ -25,5 +25,4 @@ falsepositives: level: critical tags: - attack.persistence - - attack.t1101 # an old one - attack.t1547.005 diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index b790158bc..42eeaf985 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -23,5 +23,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml index 0ba4aebe0..83fa79d02 100644 --- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml @@ -23,5 +23,4 @@ level: high tags: - attack.execution - attack.persistence - - attack.t1177 # an old one - attack.t1547.008 diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 11e4cb99d..31e621931 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -33,6 +33,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 - # - capec.270 diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 6e6f8b0c8..e4e99540b 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -5,10 +5,6 @@ description: Detects suspicious new RUN key element pointing to an executable in references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth, Markus Neis, Sander Wiebing -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 date: 2018/08/25 modified: 2022/01/13 logsource: @@ -39,3 +35,6 @@ fields: falsepositives: - Software using weird folders for updates level: high +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 9ede1214d..47489812b 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -30,6 +30,5 @@ falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. level: medium tags: - - attack.t1089 # an old one - attack.t1562.001 - attack.defense_evasion diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 378e7f623..cbb40e35c 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -19,12 +19,11 @@ detection: TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 # an old one - - attack.t1548.002 - - car.2019-04-001 falsepositives: - unknown level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 2d7601fa0..2014a9f78 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -32,6 +32,5 @@ tags: - attack.privilege_escalation - attack.persistence - attack.defense_evasion - - attack.t1183 # an old one - attack.t1546.012 - car.2013-01-002 diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index d6d596476..c47194cf2 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -19,6 +19,5 @@ falsepositives: - exclude legitimate (vetted) use of WMI event subscription in your network level: high tags: - - attack.t1084 # an old one - attack.persistence - attack.t1546.003 diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index e4b7fbf1d..cd3dcfc43 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -9,10 +9,6 @@ references: - https://github.com/RiccardoAncarani/LiquidSnake date: 2019/04/15 modified: 2021/09/01 -tags: - - attack.t1086 # an old one - - attack.execution - - attack.t1059.005 logsource: product: windows category: wmi_event @@ -43,3 +39,6 @@ fields: falsepositives: - Administrative scripts level: high +tags: + - attack.execution + - attack.t1059.005 \ No newline at end of file From 94df11f53c01aa322de892a284e71b79149008ba Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 19 Jan 2022 18:34:07 +0100 Subject: [PATCH 45/90] fix: FPs noticed with Aurora --- .../sysmon_asep_reg_keys_modification_currentversion.yml | 3 ++- .../sysmon_asep_reg_keys_modification_currentversion_nt.yml | 5 ++++- .../sysmon_registry_persistence_search_order.yml | 5 +++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 9c4e8b390..559526202 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/27 +modified: 2022/01/15 logsource: category: registry_event product: windows @@ -42,6 +42,7 @@ detection: - Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - Image: - 'C:\WINDOWS\system32\devicecensus.exe' + - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' filter_edge: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml index b6bdedcbc..146a67d6e 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/19 logsource: category: registry_event product: windows @@ -36,6 +36,9 @@ detection: - '\Windows\Load' filter: Details: '(Empty)' + filter_edge: + Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\' + Image|endswith: '\MicrosoftEdgeUpdate.exe' condition: nt_current_version_base and nt_current_version and not filter fields: - SecurityID diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 7b830997d..4592f54e8 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/01/08 +modified: 2022/01/19 tags: - attack.persistence - attack.t1546.015 @@ -52,9 +52,10 @@ detection: Details|contains: - '\FileRepository\nvmdi.inf' filter_edge: - Image|contains|all: + - Image|contains|all: - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' - '\setup.exe' + - Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe' filter_dx: Image: 'C:\WINDOWS\SYSTEM32\dxdiag.exe' condition: selection and not 1 of filter* From caa4c7f97726147189c8a376d1cf9e3af45f9655 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 19 Jan 2022 20:40:43 +0100 Subject: [PATCH 46/90] Add Redcannary Windows Rules --- .../powershell_script/posh_ps_msxml_com.yml | 28 +++++++++++++++++ .../powershell_script/posh_ps_xml_iex.yml | 30 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml new file mode 100644 index 000000000..c2235ff87 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -0,0 +1,28 @@ +title: Powershell MsXml COM Object +id: 78aa1347-1517-4454-9982-b338d6df8343 +status: experimental +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code +author: frack113 +date: 2022/01/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt + - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - New-Object + - '-ComObject' + - MsXml2.ServerXmlHttp + condition: selection +falsepositives: + - legitimate administrative script +level: medium +tags: + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml new file mode 100644 index 000000000..23d0496ff --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -0,0 +1,30 @@ +title: Powershell XML Execute Command +id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b +status: experimental +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code +author: frack113 +date: 2022/01/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests +logsource: + product: windows + category: ps_script +detection: + selection_xml: + ScriptBlockText|contains|all: + - New-Object + - System.Xml.XmlDocument + - .Load + selection_exec: + - IEX + - Invoke-Expression + condition: all of selection_* +falsepositives: + - legitimate administrative script +level: medium +tags: + - attack.execution + - attack.t1059.001 From eb4731b370d0d3c682921bffa69c7e8d701bd0a5 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 20 Jan 2022 09:46:17 +0700 Subject: [PATCH 47/90] Create lnx_doas_execution.yml --- .../process_creation/lnx_doas_execution.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/linux/process_creation/lnx_doas_execution.yml diff --git a/rules/linux/process_creation/lnx_doas_execution.yml b/rules/linux/process_creation/lnx_doas_execution.yml new file mode 100644 index 000000000..5d5b70943 --- /dev/null +++ b/rules/linux/process_creation/lnx_doas_execution.yml @@ -0,0 +1,22 @@ +title: Linux Doas Tool Execution (via process creation) +id: 067d8238-7127-451c-a9ec-fa78045b618b +status: stable +description: Detects the doas tool execution in linux host platform. +references: + - https://research.splunk.com/endpoint/linux_doas_tool_execution/ + - https://www.makeuseof.com/how-to-install-and-use-doas/ +author: Sittikorn S, Teoderick Contreras +date: 2022/01/20 +tags: + - attack.privilege_escalation + - attack.t1548.008 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|contains: 'doas' + ondition: selection +falsepositives: + - Unlikely +level: medium From 4f56e0d92eb4242df9f47f8a8ce4f3943a313814 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 20 Jan 2022 09:48:24 +0700 Subject: [PATCH 48/90] Update lnx_doas_execution.yml --- rules/linux/process_creation/lnx_doas_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/lnx_doas_execution.yml b/rules/linux/process_creation/lnx_doas_execution.yml index 5d5b70943..dfec85150 100644 --- a/rules/linux/process_creation/lnx_doas_execution.yml +++ b/rules/linux/process_creation/lnx_doas_execution.yml @@ -1,4 +1,4 @@ -title: Linux Doas Tool Execution (via process creation) +title: Linux Doas Tool Execution id: 067d8238-7127-451c-a9ec-fa78045b618b status: stable description: Detects the doas tool execution in linux host platform. From bb574151ba888d94ab1e945681317b17b96e6623 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 20 Jan 2022 09:50:41 +0700 Subject: [PATCH 49/90] Create lnx_doas_conf_creation.yml --- .../file_create/lnx_doas_conf_creation.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/linux/file_create/lnx_doas_conf_creation.yml diff --git a/rules/linux/file_create/lnx_doas_conf_creation.yml b/rules/linux/file_create/lnx_doas_conf_creation.yml new file mode 100644 index 000000000..16b6c01bb --- /dev/null +++ b/rules/linux/file_create/lnx_doas_conf_creation.yml @@ -0,0 +1,22 @@ +title: Linux Doas Conf File Creation +id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681 +status: stable +description: Detects the creation of doas.conf file in linux host platform. +references: + - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/ + - https://www.makeuseof.com/how-to-install-and-use-doas/ +author: Sittikorn S, Teoderick Contreras +date: 2022/01/20 +tags: + - attack.privilege_escalation + - attack.t1548.008 +logsource: + product: linux + category: file_create +detection: + selection: + TargetFilename|endswith: '/etc/doas.conf' + condition: selection +falsepositives: + - Unlikely +level: low From 41065bcc910c5c56f3e6e168a718b05fedea10ec Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 20 Jan 2022 10:11:14 +0700 Subject: [PATCH 50/90] Update lnx_doas_conf_creation.yml --- rules/linux/file_create/lnx_doas_conf_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/file_create/lnx_doas_conf_creation.yml b/rules/linux/file_create/lnx_doas_conf_creation.yml index 16b6c01bb..500ffbaee 100644 --- a/rules/linux/file_create/lnx_doas_conf_creation.yml +++ b/rules/linux/file_create/lnx_doas_conf_creation.yml @@ -15,7 +15,7 @@ logsource: category: file_create detection: selection: - TargetFilename|endswith: '/etc/doas.conf' + TargetFilename|endswith: '/etc/doas.conf' condition: selection falsepositives: - Unlikely From 8b94046efa7c56d902f92ab75b76853ebc2dced7 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 20 Jan 2022 10:11:24 +0700 Subject: [PATCH 51/90] Update lnx_doas_execution.yml --- rules/linux/process_creation/lnx_doas_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/lnx_doas_execution.yml b/rules/linux/process_creation/lnx_doas_execution.yml index dfec85150..96bebdcbc 100644 --- a/rules/linux/process_creation/lnx_doas_execution.yml +++ b/rules/linux/process_creation/lnx_doas_execution.yml @@ -16,7 +16,7 @@ logsource: detection: selection: Image|contains: 'doas' - ondition: selection + condition: selection falsepositives: - Unlikely level: medium From f195160baa47634585197f21105d7e2e064b6f0f Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 20 Jan 2022 10:58:47 +0700 Subject: [PATCH 52/90] Update lnx_doas_execution.yml --- rules/linux/process_creation/lnx_doas_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/lnx_doas_execution.yml b/rules/linux/process_creation/lnx_doas_execution.yml index 96bebdcbc..84d387bd5 100644 --- a/rules/linux/process_creation/lnx_doas_execution.yml +++ b/rules/linux/process_creation/lnx_doas_execution.yml @@ -9,7 +9,7 @@ author: Sittikorn S, Teoderick Contreras date: 2022/01/20 tags: - attack.privilege_escalation - - attack.t1548.008 + - attack.t1548 logsource: product: linux category: process_creation From f21d10b69f0df6c91867f588f966809c369bee36 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 20 Jan 2022 11:00:18 +0700 Subject: [PATCH 53/90] Update lnx_doas_conf_creation.yml --- rules/linux/file_create/lnx_doas_conf_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/file_create/lnx_doas_conf_creation.yml b/rules/linux/file_create/lnx_doas_conf_creation.yml index 500ffbaee..d77ac39bc 100644 --- a/rules/linux/file_create/lnx_doas_conf_creation.yml +++ b/rules/linux/file_create/lnx_doas_conf_creation.yml @@ -9,7 +9,7 @@ author: Sittikorn S, Teoderick Contreras date: 2022/01/20 tags: - attack.privilege_escalation - - attack.t1548.008 + - attack.t1548 logsource: product: linux category: file_create From 68f0cdf338bf1de12b2ca4fdd1111be98c8acd54 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 20 Jan 2022 09:44:36 +0100 Subject: [PATCH 54/90] feat: new log channel windows-codeintegrity-operational https://twitter.com/SBousseaden/status/1483810148602814466 --- tools/config/elk-windows.yml | 5 +++++ tools/config/elk-winlogbeat-sp.yml | 5 +++++ tools/config/elk-winlogbeat.yml | 5 +++++ tools/config/fireeye-helix.yml | 5 +++++ tools/config/hawk.yml | 5 +++++ tools/config/logpoint-windows.yml | 5 +++++ tools/config/logstash-windows.yml | 5 +++++ tools/config/powershell.yml | 5 +++++ tools/config/splunk-windows.yml | 5 +++++ tools/config/sumologic.yml | 5 +++++ tools/config/thor.yml | 5 +++++ tools/config/winlogbeat-modules-enabled.yml | 5 +++++ tools/config/winlogbeat.yml | 5 +++++ tools/config/zircolite.yml | 5 +++++ 14 files changed, 70 insertions(+) diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 9c532f66d..2543aac16 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: EventLog: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 80af860a9..7e30b7d13 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: log_name: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 97dfe3ec8..16ae8e6a3 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: log_name: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 1467124cc..2a04e96ec 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows index: windows diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index fc464ce91..0fd1fb251 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -356,6 +356,11 @@ logsources: service: printservice-operational conditions: product_name: 'PrintService' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + product_name: 'CodeIntegrity' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index b821d23b8..7e7efbb02 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: event_source: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + event_source: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index f3387e076..555b3335d 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -78,6 +78,11 @@ logsources: service: printservice-operational conditions: Channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 11db7be04..276ea9696 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -98,6 +98,11 @@ logsources: service: printservice-operational conditions: LogName: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + LogName: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 06b0c7306..948777a7c 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -107,6 +107,11 @@ logsources: service: printservice-operational conditions: source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + source: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 7dea87df9..9998e8cdc 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: EventChannel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/thor.yml b/tools/config/thor.yml index cbed042d5..6b01a4ec8 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -315,6 +315,11 @@ logsources: service: printservice-operational sources: - "WinEventLog:Microsoft-Windows-PrintService/Operational" + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + sources: + - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" windows-applocker: product: windows service: applocker diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 07c3c4e09..41517c93f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 5e913928d..006585294 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -80,6 +80,11 @@ logsources: service: printservice-operational conditions: winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index af73a56fb..26b41b8ab 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -68,6 +68,11 @@ logsources: service: printservice-operational conditions: Channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security From 4395a6dafa9ee2130eb8bb794b4ad69377bb3a56 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 20 Jan 2022 09:45:00 +0100 Subject: [PATCH 55/90] rule: code integrity failed driver load --- .../win_codeintegrity_failed_driver_load.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/windows/other/code_integrity/win_codeintegrity_failed_driver_load.yml diff --git a/rules/windows/other/code_integrity/win_codeintegrity_failed_driver_load.yml b/rules/windows/other/code_integrity/win_codeintegrity_failed_driver_load.yml new file mode 100644 index 000000000..69d0d3b0f --- /dev/null +++ b/rules/windows/other/code_integrity/win_codeintegrity_failed_driver_load.yml @@ -0,0 +1,20 @@ +title: Code Integrity Blocked Driver Load +id: f8931561-97f5-4c46-907f-0a4a592e47a7 +description: Detects driver load events that got blocked by Windows code integrity checks +author: Florian Roth +status: experimental +references: + - https://twitter.com/SBousseaden/status/1483810148602814466 +date: 2022/01/20 +tags: + - attack.execution +logsource: + product: windows + service: codeintegrity-operational +detection: + keywords: + - 'that did not meet the Microsoft signing level requirements' + condition: keywords +falsepositives: + - Unknown +level: high \ No newline at end of file From 26c1c233052c3ee1e9564ac2ca7b32030ca2ed7e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 20 Jan 2022 10:45:30 +0100 Subject: [PATCH 56/90] fix: typo --- rules/windows/file_event/win_fe_creation_new_shim_database.yml | 2 +- rules/windows/file_event/win_fe_creation_scr_binary_file.yml | 2 +- .../file_event/win_fe_creation_unquoted_service_path.yml | 2 +- rules/windows/file_event/win_fe_writing_local_admin_share.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_event/win_fe_creation_new_shim_database.yml b/rules/windows/file_event/win_fe_creation_new_shim_database.yml index e98d18a5a..c00f31c4e 100644 --- a/rules/windows/file_event/win_fe_creation_new_shim_database.yml +++ b/rules/windows/file_event/win_fe_creation_new_shim_database.yml @@ -17,7 +17,7 @@ detection: TargetFilename|contains: '\Windows\apppatch\Custom\' condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml index bc300a247..5d16e8fb9 100644 --- a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml +++ b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml @@ -21,7 +21,7 @@ detection: - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection condition: selection and not 1 of filter* falsepositives: - - Unkown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml b/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml index 2907976d7..5b2dfdcb1 100644 --- a/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml +++ b/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml @@ -17,7 +17,7 @@ detection: TargetFilename: 'C:\program.exe' condition: selection falsepositives: - - Unkown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_writing_local_admin_share.yml b/rules/windows/file_event/win_fe_writing_local_admin_share.yml index f24754360..5df4b850e 100644 --- a/rules/windows/file_event/win_fe_writing_local_admin_share.yml +++ b/rules/windows/file_event/win_fe_writing_local_admin_share.yml @@ -18,7 +18,7 @@ detection: - '\ADMIN$\' condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.lateral_movement From c76443051a1c5e14a2c1fdb8bb9caf18b1da852a Mon Sep 17 00:00:00 2001 From: sagiezero <61778471+sagiezero@users.noreply.github.com> Date: Thu, 20 Jan 2022 11:57:10 +0200 Subject: [PATCH 57/90] feat(rules): changing location to "application" folder --- .../rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml | 3 ++- .../rpc_firewall/rpc_firewall_ATSvc_recon.yml | 3 ++- .../rpc_firewall/rpc_firewall_DCSync_attack.yml | 3 ++- .../rpc_firewall_ITaskSchedulerService_lateral_movement.yml | 3 ++- .../rpc_firewall_ITaskSchedulerService_recon.yml | 3 ++- .../rpc_firewall/rpc_firewall_SASec_lateral_movement.yml | 3 ++- .../rpc_firewall/rpc_firewall_SASec_recon.yml | 3 ++- .../rpc_firewall/rpc_firewall_efs_abuse.yml | 3 ++- .../rpc_firewall/rpc_firewall_eventLog_recon.yml | 2 +- .../rpc_firewall/rpc_firewall_printing_lateral_movement.yml | 3 ++- .../rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml | 2 +- .../rpc_firewall_remote_registry_lateral_movement.yml | 3 ++- .../rpc_firewall/rpc_firewall_remote_registry_recon.yml | 3 ++- .../rpc_firewall_remote_server_service_abuse.yml | 5 +++-- .../rpc_firewall_remote_service_lateral_movement.yml | 3 ++- .../rpc_firewall/rpc_firewall_sharphound_recon_account.yml | 3 ++- .../rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml | 3 ++- 17 files changed, 33 insertions(+), 18 deletions(-) rename rules/{windows => application}/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml (90%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_ATSvc_recon.yml (89%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_DCSync_attack.yml (90%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml (90%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml (90%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml (90%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_SASec_recon.yml (89%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_efs_abuse.yml (89%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_eventLog_recon.yml (96%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_printing_lateral_movement.yml (92%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml (97%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml (91%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_remote_registry_recon.yml (90%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml (86%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml (90%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_sharphound_recon_account.yml (89%) rename rules/{windows => application}/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml (89%) diff --git a/rules/windows/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml similarity index 90% rename from rules/windows/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml index d57005f0f..1804d60a4 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml @@ -1,10 +1,11 @@ title: Remote Schedule Task Lateral Movement via ATSvc -id: 1ff70682-0a51-30e8-076d-740be8cee98b +id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb description: Detects remote RPC calls to create or execute a scheduled task via ATSvc references: - https://attack.mitre.org/techniques/T1053/ - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_ATSvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_ATSvc_recon.yml similarity index 89% rename from rules/windows/rpc_firewall/rpc_firewall_ATSvc_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_ATSvc_recon.yml index 72aa69038..50d52560c 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_ATSvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_ATSvc_recon.yml @@ -1,10 +1,11 @@ title: Remote Schedule Task Recon via AtScv -id: 1ff70682-0a51-30e8-076d-740be8cee98b +id: f177f2bc-5f3e-4453-b599-57eefce9a59c description: Detects remote RPC calls to read information about scheduled tasks via AtScv references: - https://attack.mitre.org/tactics/TA0007/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/zeronetworks/rpcfirewall + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md tags: - attack.ta0007 status: experimental diff --git a/rules/windows/rpc_firewall/rpc_firewall_DCSync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_DCSync_attack.yml similarity index 90% rename from rules/windows/rpc_firewall/rpc_firewall_DCSync_attack.yml rename to rules/application/rpc_firewall/rpc_firewall_DCSync_attack.yml index 324b08d62..2af1fe8df 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_DCSync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_DCSync_attack.yml @@ -1,9 +1,10 @@ title: Possible DCSync Attack -id: e3514235-4b06-11d1-ab04-00c04fc2dcd2 +id: 56fda488-113e-4ce9-8076-afc2457922c3 description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. references: - https://attack.mitre.org/techniques/T1033/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-DRSR.md tags: - attack.t1033 status: experimental diff --git a/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml similarity index 90% rename from rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml index ab463fe78..942a54498 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml @@ -1,10 +1,11 @@ title: Remote Schedule Task Lateral Movement via ITaskSchedulerService -id: 86d35949-83c9-4044-b424-db363231fd0c +id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d description: Detects remote RPC calls to create or execute a scheduled task references: - https://attack.mitre.org/techniques/T1053/ - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml b/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml similarity index 90% rename from rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml index da09ba148..7418bd1f4 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml @@ -1,9 +1,10 @@ title: Remote Schedule Task Recon via ITaskSchedulerService -id: 86d35949-83c9-4044-b424-db363231fd0c +id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e description: Detects remote RPC calls to read information about scheduled tasks references: - https://attack.mitre.org/tactics/TA0007/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md tags: - attack.ta0007 status: experimental diff --git a/rules/windows/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml similarity index 90% rename from rules/windows/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml index e138fddc1..069a61bf0 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml @@ -1,10 +1,11 @@ title: Remote Schedule Task Lateral Movement via SASec -id: 378e52b0-c0a9-11cf-822d-00aa0051e40f +id: aff229ab-f8cd-447b-b215-084d11e79eb0 description: Detects remote RPC calls to create or execute a scheduled task via SASec references: - https://attack.mitre.org/techniques/T1053/ - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_SASec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_SASec_recon.yml similarity index 89% rename from rules/windows/rpc_firewall/rpc_firewall_SASec_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_SASec_recon.yml index fb28f34b9..ea76d69d0 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_SASec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_SASec_recon.yml @@ -1,9 +1,10 @@ title: Remote Schedule Task Lateral Movement via SASec -id: 378e52b0-c0a9-11cf-822d-00aa0051e40f +id: 0a3ff354-93fc-4273-8a03-1078782de5b7 description: Detects remote RPC calls to read information about scheduled tasks via SASec references: - https://attack.mitre.org/tactics/TA0007/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md tags: - attack.ta0007 status: experimental diff --git a/rules/windows/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml similarity index 89% rename from rules/windows/rpc_firewall/rpc_firewall_efs_abuse.yml rename to rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index fc0e768b4..35ab83d8f 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -1,9 +1,10 @@ title: Remote Encrypting File System Abuse -id: df1941c5-fe89-4e79-bf10-463657acf44d +id: 5f92fff9-82e2-48eb-8fc1-8b133556a551 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR references: - https://attack.mitre.org/tactics/TA0008/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_eventLog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventLog_recon.yml similarity index 96% rename from rules/windows/rpc_firewall/rpc_firewall_eventLog_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_eventLog_recon.yml index b9d1a0643..4ca3b9582 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_eventLog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventLog_recon.yml @@ -1,5 +1,5 @@ title: Remote Event Log Recon -id: 82273fdc-e32a-18c3-3f78-827929dc23ea +id: 2053961f-44c7-4a64-b62d-f6e72800af0d description: Detects remote RPC calls to get event log information via EVEN or EVEN6 references: - https://attack.mitre.org/tactics/TA0007/ diff --git a/rules/windows/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml similarity index 92% rename from rules/windows/rpc_firewall/rpc_firewall_printing_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index dc8b209ef..bfbef474a 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -1,11 +1,12 @@ title: Remote Printing Abuse for Lateral Movement -id: 12345678-1234-abcd-ef00-0123456789ab +id: bc3a4b0c-e167-48e1-aa88-b3020950e560 description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR references: - https://attack.mitre.org/tactics/TA0008/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RPRN-PAR.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml b/rules/application/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml similarity index 97% rename from rules/windows/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml rename to rules/application/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml index 5dd592e2b..5c755dd54 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml @@ -1,5 +1,5 @@ title: Remote DCOM/WMI Lateral Movement -id: 000001A0-0000-0000-C000-000000000046 +id: 68050b10-e477-4377-a99b-3721b422d6ef description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. references: - https://attack.mitre.org/tactics/TA0008/ diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml similarity index 91% rename from rules/windows/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index 6312ed6ca..408ca1772 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -1,10 +1,11 @@ title: Remote Registry Lateral Movement -id: 338cd001-2244-31f1-aaaa-900038001003 +id: 35c55673-84ca-4e99-8d09-e334f3c29539 description: Detects remote RPC calls to modify the registry and possible execute code references: - https://attack.mitre.org/techniques/T1112/ - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml similarity index 90% rename from rules/windows/rpc_firewall/rpc_firewall_remote_registry_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index c7abe6e4a..638feabee 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -1,9 +1,10 @@ title: Remote Registry Recon -id: 338cd001-2244-31f1-aaaa-900038001003 +id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8 description: Detects remote RPC calls to collect information references: - https://attack.mitre.org/tactics/TA0007/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md tags: - attack.ta0007 status: experimental diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml similarity index 86% rename from rules/windows/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml rename to rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index 9e89d7526..0d41795d9 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -1,9 +1,10 @@ title: Remote Server Service Abuse -id: 4b324fc8-1670-01d3-1278-5a47bf6ee188 -description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS references: - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml similarity index 90% rename from rules/windows/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index 3588cccbd..438aa094b 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -1,10 +1,11 @@ title: Remote Server Service Abuse for Lateral Movement -id: 367abb81-9844-35f1-ad32-98f038001003 +id: 10018e73-06ec-46ec-8107-9172f1e04ff2 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR references: - https://attack.mitre.org/tactics/TA0008/ - https://attack.mitre.org/techniques/T1569/002/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SCMR.md tags: - attack.lateral_movement - attack.ta0008 diff --git a/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml similarity index 89% rename from rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_account.yml rename to rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index a1bb3e059..420d471e3 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -1,9 +1,10 @@ title: SharpHound Recon Account Discovery -id: 6bffd098-a112-3610-9833-46c3f87e345a +id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - https://attack.mitre.org/techniques/T1087/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-WKST.md tags: - attack.t1087 status: experimental diff --git a/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml similarity index 89% rename from rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml rename to rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index db8950aac..66776738f 100644 --- a/rules/windows/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -1,9 +1,10 @@ title: SharpHound Recon Sessions -id: 4b324fc8-1670-01d3-1278-5a47bf6ee188 +id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - https://attack.mitre.org/techniques/T1033/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md tags: - attack.t1033 status: experimental From 8cf78fb4e65e7a51f6368c089a7b60feaf37b7e6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 20 Jan 2022 11:08:08 +0100 Subject: [PATCH 58/90] rules: advancedrun executions --- .../process_creation/win_susp_advancedrun.yml | 28 +++++++++++++++++ .../win_susp_advancedrun_priv_user.yml | 30 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_advancedrun.yml create mode 100644 rules/windows/process_creation/win_susp_advancedrun_priv_user.yml diff --git a/rules/windows/process_creation/win_susp_advancedrun.yml b/rules/windows/process_creation/win_susp_advancedrun.yml new file mode 100644 index 000000000..911766159 --- /dev/null +++ b/rules/windows/process_creation/win_susp_advancedrun.yml @@ -0,0 +1,28 @@ +title: Suspicious AdvancedRun Execution +id: d2b749ee-4225-417e-b20e-a8d2193cbb84 +status: experimental +description: Detects the execution of AdvancedRun utitlity +references: + - https://twitter.com/splinter_code/status/1483815103279603714 + - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 + - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +author: Florian Roth +date: 2022/01/20 +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: '\AdvancedRun.exe' + - CommandLine|contains|all: + - ' /EXEFilename ' + - ' /Run' + - CommandLine|contains|all: + - ' /WindowState 0' + - ' /RunAs ' + - ' /CommandLine ' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml b/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml new file mode 100644 index 000000000..9401ed7d6 --- /dev/null +++ b/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml @@ -0,0 +1,30 @@ +title: Suspicious AdvancedRun Runas Priv User +id: fa00b701-44c6-4679-994d-5a18afa8a707 +status: experimental +description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller or SYSTEM account +references: + - https://twitter.com/splinter_code/status/1483815103279603714 + - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 + - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +author: Florian Roth +date: 2022/01/20 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '/EXEFilename' + - '/CommandLine' + selection_runas: + - CommandLine|contains: + - ' /RunAs 8 ' + - ' /RunAs 4 ' + - CommandLine|endswith: + - '/RunAs 8' + - '/RunAs 4' + condition: all of selection* +falsepositives: + - Unknown +level: high From 375acb8ba4cbf756ee4759a71a385ce831173d91 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 20 Jan 2022 13:07:53 +0100 Subject: [PATCH 59/90] Update lnx_doas_conf_creation.yml --- rules/linux/file_create/lnx_doas_conf_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/file_create/lnx_doas_conf_creation.yml b/rules/linux/file_create/lnx_doas_conf_creation.yml index d77ac39bc..11c4e0635 100644 --- a/rules/linux/file_create/lnx_doas_conf_creation.yml +++ b/rules/linux/file_create/lnx_doas_conf_creation.yml @@ -19,4 +19,4 @@ detection: condition: selection falsepositives: - Unlikely -level: low +level: medium From 885f70b0f3dc777edc75faf9d8e4e4c254c5d4e3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 20 Jan 2022 13:08:39 +0100 Subject: [PATCH 60/90] Update lnx_doas_execution.yml --- rules/linux/process_creation/lnx_doas_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/lnx_doas_execution.yml b/rules/linux/process_creation/lnx_doas_execution.yml index 84d387bd5..c47444781 100644 --- a/rules/linux/process_creation/lnx_doas_execution.yml +++ b/rules/linux/process_creation/lnx_doas_execution.yml @@ -15,8 +15,8 @@ logsource: category: process_creation detection: selection: - Image|contains: 'doas' + Image|endswith: '/doas' condition: selection falsepositives: - Unlikely -level: medium +level: low From b7b95f90553898073f34fff3d959cf6ec2cf977a Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 20 Jan 2022 14:57:57 +0100 Subject: [PATCH 61/90] Order application folder --- rules/application/{ => django}/appframework_django_exceptions.yml | 0 rules/application/{ => python}/app_python_sql_exceptions.yml | 0 .../{ => ruby}/appframework_ruby_on_rails_exceptions.yml | 0 rules/application/{ => spring}/appframework_spring_exceptions.yml | 0 rules/application/{ => sql}/app_sqlinjection_errors.yml | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename rules/application/{ => django}/appframework_django_exceptions.yml (100%) rename rules/application/{ => python}/app_python_sql_exceptions.yml (100%) rename rules/application/{ => ruby}/appframework_ruby_on_rails_exceptions.yml (100%) rename rules/application/{ => spring}/appframework_spring_exceptions.yml (100%) rename rules/application/{ => sql}/app_sqlinjection_errors.yml (100%) diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/django/appframework_django_exceptions.yml similarity index 100% rename from rules/application/appframework_django_exceptions.yml rename to rules/application/django/appframework_django_exceptions.yml diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml similarity index 100% rename from rules/application/app_python_sql_exceptions.yml rename to rules/application/python/app_python_sql_exceptions.yml diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml similarity index 100% rename from rules/application/appframework_ruby_on_rails_exceptions.yml rename to rules/application/ruby/appframework_ruby_on_rails_exceptions.yml diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/spring/appframework_spring_exceptions.yml similarity index 100% rename from rules/application/appframework_spring_exceptions.yml rename to rules/application/spring/appframework_spring_exceptions.yml diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/sql/app_sqlinjection_errors.yml similarity index 100% rename from rules/application/app_sqlinjection_errors.yml rename to rules/application/sql/app_sqlinjection_errors.yml From eb5578fa3348719d118285cf066022f9dc4da4a7 Mon Sep 17 00:00:00 2001 From: sagiezero <61778471+sagiezero@users.noreply.github.com> Date: Thu, 20 Jan 2022 16:53:01 +0200 Subject: [PATCH 62/90] fix(rules): fixed capital in rule names, removed unknown mitre tags, removed unknown tag in logsource. --- ...nt.yml => rpc_firewall_atsvc_lateral_movement.yml} | 8 +++----- ...l_ATSvc_recon.yml => rpc_firewall_atsvc_recon.yml} | 9 +++------ ...Sync_attack.yml => rpc_firewall_dcsync_attack.yml} | 7 +++---- .../rpc_firewall/rpc_firewall_efs_abuse.yml | 8 +++----- ...tLog_recon.yml => rpc_firewall_eventlog_recon.yml} | 9 +++------ ...rewall_itaskschedulerservice_lateral_movement.yml} | 9 ++++----- ...l => rpc_firewall_itaskschedulerservice_recon.yml} | 9 +++------ .../rpc_firewall_printing_lateral_movement.yml | 3 +-- ...or_WMI.yml => rpc_firewall_remote_dcom_or_wmi.yml} | 8 +++----- .../rpc_firewall_remote_registry_lateral_movement.yml | 9 +++------ .../rpc_firewall_remote_registry_recon.yml | 9 +++------ .../rpc_firewall_remote_server_service_abuse.yml | 11 ++++------- .../rpc_firewall_remote_service_lateral_movement.yml | 11 ++++------- ...nt.yml => rpc_firewall_sasec_lateral_movement.yml} | 8 +++----- ...l_SASec_recon.yml => rpc_firewall_sasec_recon.yml} | 9 +++------ .../rpc_firewall_sharphound_recon_account.yml | 7 +++---- .../rpc_firewall_sharphound_recon_sessions.yml | 7 +++---- tests/test_rules.py | 1 + tools/config/splunk-windows.yml | 5 +++++ 19 files changed, 58 insertions(+), 89 deletions(-) rename rules/application/rpc_firewall/{rpc_firewall_ATSvc_lateral_movement.yml => rpc_firewall_atsvc_lateral_movement.yml} (84%) rename rules/application/rpc_firewall/{rpc_firewall_ATSvc_recon.yml => rpc_firewall_atsvc_recon.yml} (83%) rename rules/application/rpc_firewall/{rpc_firewall_DCSync_attack.yml => rpc_firewall_dcsync_attack.yml} (85%) rename rules/application/rpc_firewall/{rpc_firewall_eventLog_recon.yml => rpc_firewall_eventlog_recon.yml} (81%) rename rules/application/rpc_firewall/{rpc_firewall_ITaskSchedulerService_lateral_movement.yml => rpc_firewall_itaskschedulerservice_lateral_movement.yml} (85%) rename rules/application/rpc_firewall/{rpc_firewall_ITaskSchedulerService_recon.yml => rpc_firewall_itaskschedulerservice_recon.yml} (83%) rename rules/application/rpc_firewall/{rpc_firewall_remote_DCOM_or_WMI.yml => rpc_firewall_remote_dcom_or_wmi.yml} (86%) rename rules/application/rpc_firewall/{rpc_firewall_SASec_lateral_movement.yml => rpc_firewall_sasec_lateral_movement.yml} (84%) rename rules/application/rpc_firewall/{rpc_firewall_SASec_recon.yml => rpc_firewall_sasec_recon.yml} (82%) diff --git a/rules/application/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml similarity index 84% rename from rules/application/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 1804d60a4..aa41a7098 100644 --- a/rules/application/rpc_firewall/rpc_firewall_ATSvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -6,9 +6,10 @@ references: - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 - attack.t1053 - attack.t1053.002 status: experimental @@ -17,11 +18,8 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_ATSvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml similarity index 83% rename from rules/application/rpc_firewall/rpc_firewall_ATSvc_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 50d52560c..f441b9175 100644 --- a/rules/application/rpc_firewall/rpc_firewall_ATSvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -6,19 +6,16 @@ references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/zeronetworks/rpcfirewall - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md -tags: - - attack.ta0007 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_DCSync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml similarity index 85% rename from rules/application/rpc_firewall/rpc_firewall_DCSync_attack.yml rename to rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index 2af1fe8df..3a0c7ccae 100644 --- a/rules/application/rpc_firewall/rpc_firewall_DCSync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -5,6 +5,8 @@ references: - https://attack.mitre.org/techniques/T1033/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-DRSR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.t1033 status: experimental @@ -13,11 +15,8 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index 35ab83d8f..389d8a770 100644 --- a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -5,20 +5,18 @@ references: - https://attack.mitre.org/tactics/TA0008/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_eventLog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml similarity index 81% rename from rules/application/rpc_firewall/rpc_firewall_eventLog_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index 4ca3b9582..93623e276 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventLog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -4,19 +4,16 @@ description: Detects remote RPC calls to get event log information via EVEN or E references: - https://attack.mitre.org/tactics/TA0007/ - https://github.com/zeronetworks/rpcfirewall -tags: - - attack.ta0007 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml similarity index 85% rename from rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 942a54498..803a6bce0 100644 --- a/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -6,9 +6,10 @@ references: - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 - attack.t1053 - attack.t1053.002 status: experimental @@ -17,11 +18,9 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ + detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml similarity index 83% rename from rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 7418bd1f4..6d8aad4b6 100644 --- a/rules/application/rpc_firewall/rpc_firewall_ITaskSchedulerService_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -5,19 +5,16 @@ references: - https://attack.mitre.org/tactics/TA0007/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md -tags: - - attack.ta0007 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index bfbef474a..3052b9932 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -9,14 +9,13 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RPRN-PAR.md tags: - attack.lateral_movement - - attack.ta0008 status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1' references: - https://github.com/zeronetworks/rpcfirewall diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml similarity index 86% rename from rules/application/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml rename to rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index 5c755dd54..8868c8996 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_DCOM_or_WMI.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -6,9 +6,10 @@ references: - https://attack.mitre.org/techniques/T1021/003/ - https://attack.mitre.org/techniques/T1047/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 - attack.t1021.003 - attack.t1047 status: experimental @@ -17,11 +18,8 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index 408ca1772..0a04a1120 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -6,21 +6,18 @@ references: - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 - - attack.t1112 status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index 638feabee..b5fd848c8 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -5,19 +5,16 @@ references: - https://attack.mitre.org/tactics/TA0007/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md -tags: - - attack.ta0007 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index 0d41795d9..4717afa29 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -5,26 +5,23 @@ references: - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW EventID: 3 - InterfaceUuid: - - 4b324fc8-1670-01d3-1278-5a47bf6ee188 + InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 condition: selection falsepositives: - Legitimate remote share creation diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index 438aa094b..467d02672 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -6,9 +6,10 @@ references: - https://attack.mitre.org/techniques/T1569/002/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SCMR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 - attack.t1569.002 status: experimental author: Sagie Dulce, Dekel Paz @@ -16,17 +17,13 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW EventID: 3 - InterfaceUuid: - - 367abb81-9844-35f1-ad32-98f038001003 + InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003 condition: selection falsepositives: - Administrative tasks on remote services diff --git a/rules/application/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml similarity index 84% rename from rules/application/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml rename to rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 069a61bf0..ff3867781 100644 --- a/rules/application/rpc_firewall/rpc_firewall_SASec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -6,9 +6,10 @@ references: - https://attack.mitre.org/tactics/TA0008/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement - - attack.ta0008 - attack.t1053 - attack.t1053.002 status: experimental @@ -17,11 +18,8 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_SASec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml similarity index 82% rename from rules/application/rpc_firewall/rpc_firewall_SASec_recon.yml rename to rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index ea76d69d0..8bf2f405f 100644 --- a/rules/application/rpc_firewall/rpc_firewall_SASec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -5,19 +5,16 @@ references: - https://attack.mitre.org/tactics/TA0007/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md -tags: - - attack.ta0007 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index 420d471e3..e4dceee30 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -5,6 +5,8 @@ references: - https://attack.mitre.org/techniques/T1087/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-WKST.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.t1087 status: experimental @@ -13,11 +15,8 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index 66776738f..7664b7aec 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -5,6 +5,8 @@ references: - https://attack.mitre.org/techniques/T1033/ - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.t1033 status: experimental @@ -13,11 +15,8 @@ date: 2022/01/01 modified: 2022/01/01 logsource: product: windows - service: rpc_firewall + service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - EventLog: RPCFW diff --git a/tests/test_rules.py b/tests/test_rules.py index be340f84d..10eaf7940 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -625,6 +625,7 @@ class TestRules(unittest.TestCase): "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): + print("Testing invalid log sources...\n") faulty_rules = [] valid_logsource = [ 'category', diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 06b0c7306..a6227635f 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -112,5 +112,10 @@ logsources: service: smbclient-security conditions: source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' + windows-rpc-firewall: + product: windows + service: rpc-firewall + conditions: + source: 'WinEventLog:RPCFW' fieldmappings: EventID: EventCode From 929711f5c1f5d3c1a1df7db14a4b07b4755da7fa Mon Sep 17 00:00:00 2001 From: sagiezero <61778471+sagiezero@users.noreply.github.com> Date: Thu, 20 Jan 2022 17:27:47 +0200 Subject: [PATCH 63/90] fix(rules): missed stuff from previous fix --- .../rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml | 2 +- .../application/rpc_firewall/rpc_firewall_atsvc_recon.yml | 2 +- .../rpc_firewall/rpc_firewall_dcsync_attack.yml | 2 +- rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml | 2 +- .../rpc_firewall/rpc_firewall_eventlog_recon.yml | 2 +- ...rpc_firewall_itaskschedulerservice_lateral_movement.yml | 2 +- .../rpc_firewall_itaskschedulerservice_recon.yml | 2 +- .../rpc_firewall_printing_lateral_movement.yml | 7 +++---- .../rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml | 2 +- .../rpc_firewall_remote_registry_lateral_movement.yml | 2 +- .../rpc_firewall/rpc_firewall_remote_registry_recon.yml | 2 +- .../rpc_firewall_remote_server_service_abuse.yml | 2 +- .../rpc_firewall_remote_service_lateral_movement.yml | 2 +- .../rpc_firewall/rpc_firewall_sasec_lateral_movement.yml | 2 +- .../application/rpc_firewall/rpc_firewall_sasec_recon.yml | 2 +- .../rpc_firewall/rpc_firewall_sharphound_recon_account.yml | 2 +- .../rpc_firewall_sharphound_recon_sessions.yml | 2 +- rules/linux/other/lnx_security_tools_disabling_syslog.yml | 1 - 18 files changed, 19 insertions(+), 21 deletions(-) diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index aa41a7098..3eb7a8067 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -22,7 +22,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b OpNum: diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index f441b9175..42782035c 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -18,7 +18,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b filter: diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index 3a0c7ccae..0f3de7691 100644 --- a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -19,7 +19,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2 filter: diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index 389d8a770..49a03711f 100644 --- a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -19,7 +19,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: - df1941c5-fe89-4e79-bf10-463657acf44d diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index 93623e276..d4adfc5a8 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -16,7 +16,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: - 82273fdc-e32a-18c3-3f78-827929dc23ea diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 803a6bce0..5fefb3796 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -23,7 +23,7 @@ logsource: detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c OpNum: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 6d8aad4b6..0f137a06c 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -17,7 +17,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c filter: diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index 3052b9932..52b84b0c1 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -7,6 +7,8 @@ references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RPRN-PAR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ tags: - attack.lateral_movement status: experimental @@ -17,12 +19,9 @@ logsource: product: windows service: rpc-firewall definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1' - references: - - https://github.com/zeronetworks/rpcfirewall - - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: - 12345678-1234-abcd-ef00-0123456789ab diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index 8868c8996..cedae663d 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -22,7 +22,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index 0a04a1120..51f8c098e 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -20,7 +20,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 OpNum: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index b5fd848c8..779bd9d35 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -17,7 +17,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 filter: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index 4717afa29..b16f441cc 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -19,7 +19,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 condition: selection diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index 467d02672..1fc9018b4 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -21,7 +21,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003 condition: selection diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index ff3867781..7b4d8cea1 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -22,7 +22,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f OpNum: diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index 8bf2f405f..8d594dce8 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -17,7 +17,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f filter: diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index e4dceee30..939052b9c 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -19,7 +19,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a OpNum: 2 diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index 7664b7aec..71e8ac8a9 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -19,7 +19,7 @@ logsource: definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12' detection: selection: - - EventLog: RPCFW + EventLog: RPCFW EventID: 3 InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 OpNum: 12 diff --git a/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml index 655b9528e..096cbe2e9 100644 --- a/rules/linux/other/lnx_security_tools_disabling_syslog.yml +++ b/rules/linux/other/lnx_security_tools_disabling_syslog.yml @@ -13,7 +13,6 @@ references: tags: - attack.defense_evasion - attack.t1562.004 - - attack.t1089 # an old one logsource: product: linux service: syslog From eb22807ddc4e4e766380c78bdbcfc7079dd32d49 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 20 Jan 2022 22:06:55 +0100 Subject: [PATCH 64/90] Order rules --- .../{windows/malware => application/antivirus}/av_exploiting.yml | 0 rules/{windows/malware => application/antivirus}/av_hacktool.yml | 0 .../malware => application/antivirus}/av_password_dumper.yml | 0 .../antivirus}/av_printernightmare_cve_2021_34527.yml | 0 .../malware => application/antivirus}/av_relevant_files.yml | 0 rules/{windows/malware => application/antivirus}/av_webshell.yml | 0 .../edr/windows}/edr_command_execution_by_office_applications.yml | 0 .../{malware => file_event}/file_event_mal_octopus_scanner.yml | 0 .../process_creation_mal_blue_mockingbird.yml | 0 .../process_creation_mal_darkside_ransomware.yml | 0 .../process_creation_mal_lockergoga_ransomware.yml | 0 .../{malware => process_creation}/process_creation_mal_ryuk.yml | 0 .../{malware => registry_event}/registry_event_mal_azorult.yml | 0 .../registry_event_mal_blue_mockingbird.yml | 0 .../{malware => registry_event}/registry_event_mal_flowcloud.yml | 0 .../{malware => registry_event}/registry_event_mal_netwire.yml | 0 .../{malware => registry_event}/registry_event_mal_ursnif.yml | 0 17 files changed, 0 insertions(+), 0 deletions(-) rename rules/{windows/malware => application/antivirus}/av_exploiting.yml (100%) rename rules/{windows/malware => application/antivirus}/av_hacktool.yml (100%) rename rules/{windows/malware => application/antivirus}/av_password_dumper.yml (100%) rename rules/{windows/malware => application/antivirus}/av_printernightmare_cve_2021_34527.yml (100%) rename rules/{windows/malware => application/antivirus}/av_relevant_files.yml (100%) rename rules/{windows/malware => application/antivirus}/av_webshell.yml (100%) rename rules/{windows/edr => application/edr/windows}/edr_command_execution_by_office_applications.yml (100%) rename rules/windows/{malware => file_event}/file_event_mal_octopus_scanner.yml (100%) rename rules/windows/{malware => process_creation}/process_creation_mal_blue_mockingbird.yml (100%) rename rules/windows/{malware => process_creation}/process_creation_mal_darkside_ransomware.yml (100%) rename rules/windows/{malware => process_creation}/process_creation_mal_lockergoga_ransomware.yml (100%) rename rules/windows/{malware => process_creation}/process_creation_mal_ryuk.yml (100%) rename rules/windows/{malware => registry_event}/registry_event_mal_azorult.yml (100%) rename rules/windows/{malware => registry_event}/registry_event_mal_blue_mockingbird.yml (100%) rename rules/windows/{malware => registry_event}/registry_event_mal_flowcloud.yml (100%) rename rules/windows/{malware => registry_event}/registry_event_mal_netwire.yml (100%) rename rules/windows/{malware => registry_event}/registry_event_mal_ursnif.yml (100%) diff --git a/rules/windows/malware/av_exploiting.yml b/rules/application/antivirus/av_exploiting.yml similarity index 100% rename from rules/windows/malware/av_exploiting.yml rename to rules/application/antivirus/av_exploiting.yml diff --git a/rules/windows/malware/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml similarity index 100% rename from rules/windows/malware/av_hacktool.yml rename to rules/application/antivirus/av_hacktool.yml diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/application/antivirus/av_password_dumper.yml similarity index 100% rename from rules/windows/malware/av_password_dumper.yml rename to rules/application/antivirus/av_password_dumper.yml diff --git a/rules/windows/malware/av_printernightmare_cve_2021_34527.yml b/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml similarity index 100% rename from rules/windows/malware/av_printernightmare_cve_2021_34527.yml rename to rules/application/antivirus/av_printernightmare_cve_2021_34527.yml diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/application/antivirus/av_relevant_files.yml similarity index 100% rename from rules/windows/malware/av_relevant_files.yml rename to rules/application/antivirus/av_relevant_files.yml diff --git a/rules/windows/malware/av_webshell.yml b/rules/application/antivirus/av_webshell.yml similarity index 100% rename from rules/windows/malware/av_webshell.yml rename to rules/application/antivirus/av_webshell.yml diff --git a/rules/windows/edr/edr_command_execution_by_office_applications.yml b/rules/application/edr/windows/edr_command_execution_by_office_applications.yml similarity index 100% rename from rules/windows/edr/edr_command_execution_by_office_applications.yml rename to rules/application/edr/windows/edr_command_execution_by_office_applications.yml diff --git a/rules/windows/malware/file_event_mal_octopus_scanner.yml b/rules/windows/file_event/file_event_mal_octopus_scanner.yml similarity index 100% rename from rules/windows/malware/file_event_mal_octopus_scanner.yml rename to rules/windows/file_event/file_event_mal_octopus_scanner.yml diff --git a/rules/windows/malware/process_creation_mal_blue_mockingbird.yml b/rules/windows/process_creation/process_creation_mal_blue_mockingbird.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_blue_mockingbird.yml rename to rules/windows/process_creation/process_creation_mal_blue_mockingbird.yml diff --git a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/windows/process_creation/process_creation_mal_darkside_ransomware.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_darkside_ransomware.yml rename to rules/windows/process_creation/process_creation_mal_darkside_ransomware.yml diff --git a/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/windows/process_creation/process_creation_mal_lockergoga_ransomware.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml rename to rules/windows/process_creation/process_creation_mal_lockergoga_ransomware.yml diff --git a/rules/windows/malware/process_creation_mal_ryuk.yml b/rules/windows/process_creation/process_creation_mal_ryuk.yml similarity index 100% rename from rules/windows/malware/process_creation_mal_ryuk.yml rename to rules/windows/process_creation/process_creation_mal_ryuk.yml diff --git a/rules/windows/malware/registry_event_mal_azorult.yml b/rules/windows/registry_event/registry_event_mal_azorult.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_azorult.yml rename to rules/windows/registry_event/registry_event_mal_azorult.yml diff --git a/rules/windows/malware/registry_event_mal_blue_mockingbird.yml b/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_blue_mockingbird.yml rename to rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml diff --git a/rules/windows/malware/registry_event_mal_flowcloud.yml b/rules/windows/registry_event/registry_event_mal_flowcloud.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_flowcloud.yml rename to rules/windows/registry_event/registry_event_mal_flowcloud.yml diff --git a/rules/windows/malware/registry_event_mal_netwire.yml b/rules/windows/registry_event/registry_event_mal_netwire.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_netwire.yml rename to rules/windows/registry_event/registry_event_mal_netwire.yml diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/registry_event/registry_event_mal_ursnif.yml similarity index 100% rename from rules/windows/malware/registry_event_mal_ursnif.yml rename to rules/windows/registry_event/registry_event_mal_ursnif.yml From 7053d42e439b1c7e1aa99a723952fe12228c23d4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 Jan 2022 11:59:13 +0100 Subject: [PATCH 65/90] move to builtin --- .../applocker/win_applocker_file_was_not_allowed_to_run.yml | 0 .../code_integrity/win_codeintegrity_failed_driver_load.yml | 0 rules/windows/{other => builtin}/dns_server/win_apt_gallium.yml | 0 .../windows/{other => builtin}/dns_server/win_susp_dns_config.yml | 0 .../driverframeworks/win_usb_device_plugged.yml | 0 rules/windows/{other => builtin}/ldap/win_ldap_recon.yml | 0 .../{other => builtin}/msexchange/win_exchange_cve_2021_42321.yml | 0 .../msexchange/win_exchange_proxylogon_oabvirtualdir.yml | 0 .../msexchange/win_exchange_proxyshell_certificate_generation.yml | 0 .../msexchange/win_exchange_proxyshell_mailbox_export.yml | 0 .../msexchange/win_exchange_proxyshell_remove_mailbox_export.yml | 0 .../{other => builtin}/msexchange/win_exchange_transportagent.yml | 0 .../msexchange/win_exchange_transportagent_failed.yml | 0 .../msexchange/win_set_oabvirtualdirectory_externalurl.yml | 0 rules/windows/{other => builtin}/ntlm/win_susp_ntlm_auth.yml | 0 rules/windows/{other => builtin}/ntlm/win_susp_ntlm_rdp.yml | 0 .../printservice/win_exploit_cve_2021_1675_printspooler.yml | 0 .../win_exploit_cve_2021_1675_printspooler_operational.yml | 0 .../servicebus/win_hybridconnectionmgr_svc_running.yml | 0 .../{other => builtin}/smbclient/win_susp_failed_guest_logon.yml | 0 .../taskscheduler/win_rare_schtask_creation.yml | 0 .../{other => builtin}/windefend/win_alert_lsass_access.yml | 0 .../{other => builtin}/windefend/win_defender_amsi_trigger.yml | 0 .../{other => builtin}/windefend/win_defender_disabled.yml | 0 .../{other => builtin}/windefend/win_defender_exclusions.yml | 0 .../{other => builtin}/windefend/win_defender_history_delete.yml | 0 .../{other => builtin}/windefend/win_defender_psexec_wmi_asr.yml | 0 .../windefend/win_defender_tamper_protection_trigger.yml | 0 .../windows/{other => builtin}/windefend/win_defender_threat.yml | 0 rules/windows/{other => builtin}/wmi/win_wmi_persistence.yml | 0 30 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{other => builtin}/applocker/win_applocker_file_was_not_allowed_to_run.yml (100%) rename rules/windows/{other => builtin}/code_integrity/win_codeintegrity_failed_driver_load.yml (100%) rename rules/windows/{other => builtin}/dns_server/win_apt_gallium.yml (100%) rename rules/windows/{other => builtin}/dns_server/win_susp_dns_config.yml (100%) rename rules/windows/{other => builtin}/driverframeworks/win_usb_device_plugged.yml (100%) rename rules/windows/{other => builtin}/ldap/win_ldap_recon.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_exchange_cve_2021_42321.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_exchange_proxylogon_oabvirtualdir.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_exchange_proxyshell_certificate_generation.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_exchange_proxyshell_mailbox_export.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_exchange_transportagent.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_exchange_transportagent_failed.yml (100%) rename rules/windows/{other => builtin}/msexchange/win_set_oabvirtualdirectory_externalurl.yml (100%) rename rules/windows/{other => builtin}/ntlm/win_susp_ntlm_auth.yml (100%) rename rules/windows/{other => builtin}/ntlm/win_susp_ntlm_rdp.yml (100%) rename rules/windows/{other => builtin}/printservice/win_exploit_cve_2021_1675_printspooler.yml (100%) rename rules/windows/{other => builtin}/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml (100%) rename rules/windows/{other => builtin}/servicebus/win_hybridconnectionmgr_svc_running.yml (100%) rename rules/windows/{other => builtin}/smbclient/win_susp_failed_guest_logon.yml (100%) rename rules/windows/{other => builtin}/taskscheduler/win_rare_schtask_creation.yml (100%) rename rules/windows/{other => builtin}/windefend/win_alert_lsass_access.yml (100%) rename rules/windows/{other => builtin}/windefend/win_defender_amsi_trigger.yml (100%) rename rules/windows/{other => builtin}/windefend/win_defender_disabled.yml (100%) rename rules/windows/{other => builtin}/windefend/win_defender_exclusions.yml (100%) rename rules/windows/{other => builtin}/windefend/win_defender_history_delete.yml (100%) rename rules/windows/{other => builtin}/windefend/win_defender_psexec_wmi_asr.yml (100%) rename rules/windows/{other => builtin}/windefend/win_defender_tamper_protection_trigger.yml (100%) rename rules/windows/{other => builtin}/windefend/win_defender_threat.yml (100%) rename rules/windows/{other => builtin}/wmi/win_wmi_persistence.yml (100%) diff --git a/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml similarity index 100% rename from rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml rename to rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml diff --git a/rules/windows/other/code_integrity/win_codeintegrity_failed_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml similarity index 100% rename from rules/windows/other/code_integrity/win_codeintegrity_failed_driver_load.yml rename to rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml diff --git a/rules/windows/other/dns_server/win_apt_gallium.yml b/rules/windows/builtin/dns_server/win_apt_gallium.yml similarity index 100% rename from rules/windows/other/dns_server/win_apt_gallium.yml rename to rules/windows/builtin/dns_server/win_apt_gallium.yml diff --git a/rules/windows/other/dns_server/win_susp_dns_config.yml b/rules/windows/builtin/dns_server/win_susp_dns_config.yml similarity index 100% rename from rules/windows/other/dns_server/win_susp_dns_config.yml rename to rules/windows/builtin/dns_server/win_susp_dns_config.yml diff --git a/rules/windows/other/driverframeworks/win_usb_device_plugged.yml b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml similarity index 100% rename from rules/windows/other/driverframeworks/win_usb_device_plugged.yml rename to rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml diff --git a/rules/windows/other/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml similarity index 100% rename from rules/windows/other/ldap/win_ldap_recon.yml rename to rules/windows/builtin/ldap/win_ldap_recon.yml diff --git a/rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml b/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml rename to rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml rename to rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml rename to rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml diff --git a/rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml rename to rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml diff --git a/rules/windows/other/msexchange/win_exchange_transportagent.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_transportagent.yml rename to rules/windows/builtin/msexchange/win_exchange_transportagent.yml diff --git a/rules/windows/other/msexchange/win_exchange_transportagent_failed.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml similarity index 100% rename from rules/windows/other/msexchange/win_exchange_transportagent_failed.yml rename to rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml diff --git a/rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/msexchange/win_set_oabvirtualdirectory_externalurl.yml similarity index 100% rename from rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml rename to rules/windows/builtin/msexchange/win_set_oabvirtualdirectory_externalurl.yml diff --git a/rules/windows/other/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml similarity index 100% rename from rules/windows/other/ntlm/win_susp_ntlm_auth.yml rename to rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml diff --git a/rules/windows/other/ntlm/win_susp_ntlm_rdp.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml similarity index 100% rename from rules/windows/other/ntlm/win_susp_ntlm_rdp.yml rename to rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml diff --git a/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml similarity index 100% rename from rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml rename to rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml diff --git a/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml similarity index 100% rename from rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml rename to rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml diff --git a/rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml similarity index 100% rename from rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml rename to rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml diff --git a/rules/windows/other/smbclient/win_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml similarity index 100% rename from rules/windows/other/smbclient/win_susp_failed_guest_logon.yml rename to rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml diff --git a/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml similarity index 100% rename from rules/windows/other/taskscheduler/win_rare_schtask_creation.yml rename to rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml diff --git a/rules/windows/other/windefend/win_alert_lsass_access.yml b/rules/windows/builtin/windefend/win_alert_lsass_access.yml similarity index 100% rename from rules/windows/other/windefend/win_alert_lsass_access.yml rename to rules/windows/builtin/windefend/win_alert_lsass_access.yml diff --git a/rules/windows/other/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_amsi_trigger.yml rename to rules/windows/builtin/windefend/win_defender_amsi_trigger.yml diff --git a/rules/windows/other/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_disabled.yml rename to rules/windows/builtin/windefend/win_defender_disabled.yml diff --git a/rules/windows/other/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_exclusions.yml rename to rules/windows/builtin/windefend/win_defender_exclusions.yml diff --git a/rules/windows/other/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_history_delete.yml rename to rules/windows/builtin/windefend/win_defender_history_delete.yml diff --git a/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml b/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml rename to rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml diff --git a/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml rename to rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml diff --git a/rules/windows/other/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml similarity index 100% rename from rules/windows/other/windefend/win_defender_threat.yml rename to rules/windows/builtin/windefend/win_defender_threat.yml diff --git a/rules/windows/other/wmi/win_wmi_persistence.yml b/rules/windows/builtin/wmi/win_wmi_persistence.yml similarity index 100% rename from rules/windows/other/wmi/win_wmi_persistence.yml rename to rules/windows/builtin/wmi/win_wmi_persistence.yml From 6eeb0723ed82bed255a6d0793d3971392ce2f48f Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 Jan 2022 13:14:35 +0100 Subject: [PATCH 66/90] Fix FP thanks aurora --- rules/windows/process_access/win_susp_proc_access_lsass.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index 50607b328..18af3ff6d 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -62,6 +62,7 @@ detection: - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' - 'C:\Windows\System32\lsass.exe' + - 'C:\WINDOWS\System32\perfmon.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' From 97f4bda4bce47453e627549a6fb875dec7a6205b Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 Jan 2022 14:16:35 +0100 Subject: [PATCH 67/90] add win_fe_susp_colorcpl --- .../file_event/win_fe_susp_colorcpl.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/file_event/win_fe_susp_colorcpl.yml diff --git a/rules/windows/file_event/win_fe_susp_colorcpl.yml b/rules/windows/file_event/win_fe_susp_colorcpl.yml new file mode 100644 index 000000000..deb3389c8 --- /dev/null +++ b/rules/windows/file_event/win_fe_susp_colorcpl.yml @@ -0,0 +1,27 @@ +title: Suspicious Creation with Colorcpl +id: e15b518d-b4ce-4410-a9cd-501f23ce4a18 +status: experimental +description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ +author: frack113 +references: + - https://twitter.com/eral4m/status/1480468728324231172?s=20 +date: 2022/01/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: \colorcpl.exe + valid_ext: + TargetFilename|endswith: + - .icm + - .gmmp + - .cdmp + - .camp + condition: selection and not valid_ext +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564 From bbdfb79bc07b500e4dd4796ce49044bb4274a7ec Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Sat, 22 Jan 2022 15:12:24 +0100 Subject: [PATCH 68/90] Adding new linux auditd rule - Disable Dystem Firewall --- .../lnx_auditd_disable_system_firewall.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_disable_system_firewall.yml diff --git a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml new file mode 100644 index 000000000..14ee8b54b --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -0,0 +1,27 @@ +title: Disable System Firewall +id: 53059bc0-1472-438b-956a-7508a94a91f0 +status: experimental +description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. +author: 'Pawel Mazur' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md + - https://attack.mitre.org/techniques/T1562/004/ + - https://firewalld.org/documentation/man-pages/firewall-cmd.html +date: 2022/01/22 +logsource: + product: linux + service: auditd +detection: + service_stop: + type: 'SERVICE_STOP' + unit: + - 'firewalld' + - 'iptables' + - 'ufw' + condition: service_stop +falsepositives: + - Admin activity +level: high +tags: + - attack.t1562.004 + - attack.defense_evasion \ No newline at end of file From 83afc12875b2a06611b4e29122da94845f4616e2 Mon Sep 17 00:00:00 2001 From: sagiezero <61778471+sagiezero@users.noreply.github.com> Date: Sun, 23 Jan 2022 09:44:24 +0200 Subject: [PATCH 69/90] fix(rules): changed "product" and "service" to suggested values. --- .../rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml | 4 ++-- rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml | 4 ++-- rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml | 4 ++-- rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml | 4 ++-- .../application/rpc_firewall/rpc_firewall_eventlog_recon.yml | 4 ++-- .../rpc_firewall_itaskschedulerservice_lateral_movement.yml | 4 ++-- .../rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml | 4 ++-- .../rpc_firewall/rpc_firewall_printing_lateral_movement.yml | 4 ++-- .../rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml | 4 ++-- .../rpc_firewall_remote_registry_lateral_movement.yml | 4 ++-- .../rpc_firewall/rpc_firewall_remote_registry_recon.yml | 4 ++-- .../rpc_firewall/rpc_firewall_remote_server_service_abuse.yml | 4 ++-- .../rpc_firewall_remote_service_lateral_movement.yml | 4 ++-- .../rpc_firewall/rpc_firewall_sasec_lateral_movement.yml | 4 ++-- rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml | 4 ++-- .../rpc_firewall/rpc_firewall_sharphound_recon_account.yml | 4 ++-- .../rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml | 4 ++-- 17 files changed, 34 insertions(+), 34 deletions(-) diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 3eb7a8067..74039ee14 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -17,8 +17,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 42782035c..4ee610ce7 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -13,8 +13,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index 0f3de7691..badff3ec5 100644 --- a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -14,8 +14,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index 49a03711f..46b0150c2 100644 --- a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -14,8 +14,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index d4adfc5a8..b095d3774 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -11,8 +11,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 5fefb3796..e6cf10772 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -17,8 +17,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' detection: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 0f137a06c..67ed17d74 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -12,8 +12,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index 52b84b0c1..123925f97 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -16,8 +16,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index cedae663d..ea909d4da 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -17,8 +17,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index 51f8c098e..d6c6eacab 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -15,8 +15,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index 779bd9d35..237e3d5ea 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -12,8 +12,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index b16f441cc..33edaab4b 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -14,8 +14,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index 1fc9018b4..10bdf7a1e 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -16,8 +16,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 7b4d8cea1..0e0151b04 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -17,8 +17,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index 8d594dce8..aa28a4bc5 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -12,8 +12,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index 939052b9c..dd9d1b6cd 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -14,8 +14,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2' detection: selection: diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index 71e8ac8a9..b2a92416a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -14,8 +14,8 @@ author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 logsource: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12' detection: selection: From 2c6b779fa3afb6a1db0eb95768ed872303241b83 Mon Sep 17 00:00:00 2001 From: sagiezero <61778471+sagiezero@users.noreply.github.com> Date: Sun, 23 Jan 2022 10:18:17 +0200 Subject: [PATCH 70/90] fix(rules): misshap in "test_rules", and also updated the splunk-windows.yml configuration --- tests/test_rules.py | 1 - tools/config/splunk-windows.yml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 10eaf7940..be340f84d 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -625,7 +625,6 @@ class TestRules(unittest.TestCase): "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): - print("Testing invalid log sources...\n") faulty_rules = [] valid_logsource = [ 'category', diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index a6227635f..9d69d3f87 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -113,8 +113,8 @@ logsources: conditions: source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' windows-rpc-firewall: - product: windows - service: rpc-firewall + product: rpc_firewall + category: application conditions: source: 'WinEventLog:RPCFW' fieldmappings: From 41baa3c4c52784e92e0b0f58358578644bf22988 Mon Sep 17 00:00:00 2001 From: sagiezero <61778471+sagiezero@users.noreply.github.com> Date: Sun, 23 Jan 2022 10:35:46 +0200 Subject: [PATCH 71/90] fix(rules): misshap in "test_rules", and also updated the splunk-windows.yml configuration --- tools/config/splunk-windows.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 9d69d3f87..34b8dd7b9 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -115,7 +115,7 @@ logsources: windows-rpc-firewall: product: rpc_firewall category: application - conditions: - source: 'WinEventLog:RPCFW' + conditions: + source: 'WinEventLog:RPCFW' fieldmappings: EventID: EventCode From 31e38623de58072445248dc362b961744d93c1e7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 23 Jan 2022 11:35:36 +0100 Subject: [PATCH 72/90] Update win_susp_curl_fileupload --- .../process_creation/win_susp_curl_fileupload.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_curl_fileupload.yml b/rules/windows/process_creation/win_susp_curl_fileupload.yml index c76ac44c5..dbe45bb0f 100644 --- a/rules/windows/process_creation/win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/win_susp_curl_fileupload.yml @@ -6,15 +6,22 @@ author: Florian Roth references: - https://twitter.com/d1r4c/status/1279042657508081664 - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file + - https://curl.se/docs/manpage.html date: 2020/07/03 -modified: 2021/11/27 +modified: 2022/01/22 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\curl.exe' - CommandLine|contains: ' -F ' + CommandLine|contains: + - ' -F ' + - ' -T ' + - ' --upload-file ' + - ' -d ' + - ' --data ' condition: selection fields: - CommandLine @@ -25,3 +32,4 @@ level: medium tags: - attack.exfiltration - attack.t1567 + - attack.t1105 From 90334e7f7c7d48f0ff63d0df1350dda79e61f090 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 23 Jan 2022 11:37:01 +0100 Subject: [PATCH 73/90] Redcannary windows test --- .../network_connection/win_nc_imewdbld.yml | 23 ++++++++++++++ .../posh_ps_susp_ssl_keyword.yml | 25 +++++++++++++++ .../posh_ps_test_netconnection.yml | 31 +++++++++++++++++++ .../process_creation/win_pc_cmd_redirect.yml | 22 +++++++++++++ .../process_creation/win_pc_susp_radmin.yml | 25 +++++++++++++++ .../win_re_change_security_zones.yml | 27 ++++++++++++++++ .../win_re_hidden_extention.yml | 29 +++++++++++++++++ 7 files changed, 182 insertions(+) create mode 100644 rules/windows/network_connection/win_nc_imewdbld.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml create mode 100644 rules/windows/process_creation/win_pc_cmd_redirect.yml create mode 100644 rules/windows/process_creation/win_pc_susp_radmin.yml create mode 100644 rules/windows/registry_event/win_re_change_security_zones.yml create mode 100644 rules/windows/registry_event/win_re_hidden_extention.yml diff --git a/rules/windows/network_connection/win_nc_imewdbld.yml b/rules/windows/network_connection/win_nc_imewdbld.yml new file mode 100644 index 000000000..bbd5d676c --- /dev/null +++ b/rules/windows/network_connection/win_nc_imewdbld.yml @@ -0,0 +1,23 @@ +title: Download a File with IMEWDBLD.exe +id: 8d7e392e-9b28-49e1-831d-5949c6281228 +status: experimental +description: Use IMEWDBLD.exe (built-in to windows) to download a file +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download + - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ +date: 2022/01/22 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + Image|endswith: '\IMEWDBLD.exe' + condition: selection +falsepositives: + - Legitimate script +level: high +tags: + - attack.command_and_control + - attack.t1105 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml new file mode 100644 index 000000000..e02900789 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -0,0 +1,25 @@ +title: Suspicious SSL Connection +id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078 +status: experimental +description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 + - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 +author: frack113 +date: 2022/01/23 +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - System.Net.Security.SslStream + - Net.Security.RemoteCertificateValidationCallback + - '.AuthenticateAsClient' + condition: selection +falsepositives: + - legitimate administrative script +level: low +tags: + - attack.command_and_control + - attack.t1573 diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml new file mode 100644 index 000000000..6d969e7fa --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -0,0 +1,31 @@ +title: Testing Usage of Uncommonly Used Port +id: adf876b3-f1f8-4aa9-a4e4-a64106feec06 +status: experimental +description: | + Adversaries may communicate using a protocol and port paring that are typically not associated. + For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell + - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +author: frack113 +date: 2022/01/23 +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - Test-NetConnection + - '-ComputerName ' + - '-port ' + filter : + ScriptBlockText|contains: + - ' 443 ' + - ' 80 ' + condition: selection and not filter +falsepositives: + - legitimate administrative script +level: medium +tags: + - attack.command_and_control + - attack.t1571 diff --git a/rules/windows/process_creation/win_pc_cmd_redirect.yml b/rules/windows/process_creation/win_pc_cmd_redirect.yml new file mode 100644 index 000000000..44582efde --- /dev/null +++ b/rules/windows/process_creation/win_pc_cmd_redirect.yml @@ -0,0 +1,22 @@ +title: Redirect Output in CommandLine +id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a +status: experimental +description: Use ">" to redicrect information in commandline +author: frack113 +references: + - https://ss64.com/nt/syntax-redirection.html +date: 2022/01/22 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cmd.exe' + CommandLine|contains: '>' + condition: selection +falsepositives: + - Unknown +level: low +tags: + - attack.discovery + - attack.t1082 diff --git a/rules/windows/process_creation/win_pc_susp_radmin.yml b/rules/windows/process_creation/win_pc_susp_radmin.yml new file mode 100644 index 000000000..4e90803f2 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_radmin.yml @@ -0,0 +1,25 @@ +title: Use Radmin Viewer Utility +id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d +status: experimental +description: An adversary may use Radmin Viewer Utility to remotely control Windows device +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md#atomic-test-1---radmin-viewer-utility + - https://www.radmin.fr/ +date: 2022/01/22 +logsource: + category: process_creation + product: windows +detection: + selection: + - Description: 'Radmin Viewer' + - Product: 'Radmin Viewer' + - OriginalFileName: 'Radmin.exe' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.lateral_movement + - attack.t1072 diff --git a/rules/windows/registry_event/win_re_change_security_zones.yml b/rules/windows/registry_event/win_re_change_security_zones.yml new file mode 100644 index 000000000..e88bc1e50 --- /dev/null +++ b/rules/windows/registry_event/win_re_change_security_zones.yml @@ -0,0 +1,27 @@ +title: IE Change Domain Zone +id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 +description: Hides the file extension through modification of the registry +author: frack113 +date: 2022/01/22 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone + - https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries +logsource: + category: registry_event + product: windows +detection: + selection_domains: + EventType: SetValue + TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ + filter: + Details: + - DWORD (0x00000000) # My Computer + - DWORD (0x00000001) # Local Intranet Zone + condition: selection_domains +falsepositives: + - Administrative scripts +level: medium +tags: + - attack.persistence + - attack.t1137 diff --git a/rules/windows/registry_event/win_re_hidden_extention.yml b/rules/windows/registry_event/win_re_hidden_extention.yml new file mode 100644 index 000000000..f24c17591 --- /dev/null +++ b/rules/windows/registry_event/win_re_hidden_extention.yml @@ -0,0 +1,29 @@ +title: Registry Modification to Hidden File Extension +id: 5df86130-4e95-4a54-90f7-26541b40aec2 +description: Hides the file extension through modification of the registry +author: frack113 +date: 2022/01/22 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd + - https://unit42.paloaltonetworks.com/ransomware-families/ + - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A +logsource: + category: registry_event + product: windows +detection: + selection_HideFileExt: + EventType: SetValue + TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt + Details: DWORD (0x00000001) + selection_Hidden: + EventType: SetValue + TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden + Details: DWORD (0x00000002) + condition: 1 of selection_* +falsepositives: + - Administrative scripts +level: medium +tags: + - attack.persistence + - attack.t1137 From 1b8fa21be1327d1b22415472e381bac2e6cb5e93 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 23 Jan 2022 11:40:35 +0100 Subject: [PATCH 74/90] Fix space --- .../powershell/powershell_script/posh_ps_test_netconnection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index 6d969e7fa..a3ff348dd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -18,7 +18,7 @@ detection: - Test-NetConnection - '-ComputerName ' - '-port ' - filter : + filter: ScriptBlockText|contains: - ' 443 ' - ' 80 ' From 097704d834bebff14a2638aed618a287ddec696a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 23 Jan 2022 14:47:25 +0100 Subject: [PATCH 75/90] add win_pc_susp_instalutil --- .../win_pc_susp_instalutil.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_susp_instalutil.yml diff --git a/rules/windows/process_creation/win_pc_susp_instalutil.yml b/rules/windows/process_creation/win_pc_susp_instalutil.yml new file mode 100644 index 000000000..6dc9ccb4e --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_instalutil.yml @@ -0,0 +1,25 @@ +title: Suspicious Execution of InstallUtil Without Log +id: d042284c-a296-4988-9be5-f424fadcc28c +status: experimental +description: Uses the .NET InstallUtil.exe application in order to execute image without log +author: frack113 +references: + - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ + - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +date: 2022/01/23 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: \InstallUtil.exe + Image|contains: Microsoft.NET\Framework64\ + Commandline|contains|all: + - '/logfile= ' + - '/LogToConsole=false' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion From f1959f25d7e7bb3a1c02f875e167d1819f702861 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 23 Jan 2022 16:37:59 +0100 Subject: [PATCH 76/90] Windows Redcannary --- .../windows/file_event/win_fe_macro_file.yml | 36 +++++++++++++++++++ ...sh_ps_susp_invoke_webrequest_useragent.yml | 27 ++++++++++++++ .../win_pc_susp_curl_useragent.yml | 31 ++++++++++++++++ 3 files changed, 94 insertions(+) create mode 100644 rules/windows/file_event/win_fe_macro_file.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml create mode 100644 rules/windows/process_creation/win_pc_susp_curl_useragent.yml diff --git a/rules/windows/file_event/win_fe_macro_file.yml b/rules/windows/file_event/win_fe_macro_file.yml new file mode 100644 index 000000000..55e102b80 --- /dev/null +++ b/rules/windows/file_event/win_fe_macro_file.yml @@ -0,0 +1,36 @@ +title: Dump Office Macro Files from Commandline +id: b1c50487-1967-4315-a026-6491686d860e +status: experimental +description: A office file with macro is created from a commandline or a script +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +date: 2022/01/23 +logsource: + category: file_event + product: windows +detection: + selection_ext: + TargetFilename|endswith: + - .docm + - .dotm + - .xlsm + - .xltm + - .potm + - .pptm + - .pptx + selection_cmd: + - Image|endswith: + - \cmd.exe + - \powershell.exe + - ParentImage|endswith: + - \cmd.exe + - \powershell.exe + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1566.001 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml new file mode 100644 index 000000000..2477e7898 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -0,0 +1,27 @@ +title: Change User Agents with WebRequest +id: d4488827-73af-4f8d-9244-7b7662ef046e +status: experimental +author: frack113 +date: 2022/01/23 +description: | + Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. + Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#t1071001---web-protocols +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Invoke-WebRequest + - '-UserAgent ' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1071.001 + diff --git a/rules/windows/process_creation/win_pc_susp_curl_useragent.yml b/rules/windows/process_creation/win_pc_susp_curl_useragent.yml new file mode 100644 index 000000000..f2a7d88f1 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_curl_useragent.yml @@ -0,0 +1,31 @@ +title: Suspicious Curl Change User Agents +id: 3286d37a-00fd-41c2-a624-a672dcd34e60 +status: experimental +description: Detects a suspicious curl process start on Windows with set useragent options +author: frack113 +references: + - https://curl.se/docs/manpage.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd +date: 2022/01/23 +logsource: + category: process_creation + product: windows +detection: + selection_curl: + - Image|endswith: '\curl.exe' + - Product: 'The curl executable' + selection_opt: + CommandLine|contains: + - ' -A ' + - ' --user-agent ' + condition: all of selection_* +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.command_and_control + - attack.t1071.001 From 2dc0c2a8a9d1b41a96c5277ed55cd5836563e0b5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 23 Jan 2022 19:12:12 +0100 Subject: [PATCH 77/90] fix field name case --- rules/windows/process_creation/win_pc_susp_instalutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_susp_instalutil.yml b/rules/windows/process_creation/win_pc_susp_instalutil.yml index 6dc9ccb4e..cbf7ebc50 100644 --- a/rules/windows/process_creation/win_pc_susp_instalutil.yml +++ b/rules/windows/process_creation/win_pc_susp_instalutil.yml @@ -14,7 +14,7 @@ detection: selection: Image|endswith: \InstallUtil.exe Image|contains: Microsoft.NET\Framework64\ - Commandline|contains|all: + CommandLine|contains|all: - '/logfile= ' - '/LogToConsole=false' condition: selection From 4be9a6c3adfc3577c0fc8c3f224abc4232a35235 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 24 Jan 2022 10:03:52 +0100 Subject: [PATCH 78/90] Add win_re_blackbyte_ransomware --- .../win_re_blackbyte_ransomware.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/registry_event/win_re_blackbyte_ransomware.yml diff --git a/rules/windows/registry_event/win_re_blackbyte_ransomware.yml b/rules/windows/registry_event/win_re_blackbyte_ransomware.yml new file mode 100644 index 000000000..657fd0743 --- /dev/null +++ b/rules/windows/registry_event/win_re_blackbyte_ransomware.yml @@ -0,0 +1,27 @@ +title: Blackbyte Ransomware Registry +id: 83314318-052a-4c90-a1ad-660ece38d276 +description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption +author: frack113 +date: 2022/01/24 +status: experimental +references: + - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + TargetObject: + - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections + - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled + Details: DWORD (0x00000001) + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1112 From 9505a761e1980b51f70f61c03709c5bc47b68896 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 24 Jan 2022 11:54:58 +0100 Subject: [PATCH 79/90] fix: bug in rule - missing backspace --- ...eation_syncappvpublishingserver_vbs_execute_powershell.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml index 59ddee7cf..8cd94e687 100644 --- a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml +++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml @@ -3,7 +3,7 @@ id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1 status: experimental author: frack113 date: 2021/07/16 -modified: 2021/09/12 +modified: 2022/01/24 description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md @@ -19,7 +19,7 @@ detection: select_vbs: CommandLine|contains|all: - '\SyncAppvPublishingServer.vbs' - - '"n;' + - '"\n;' condition: select_vbs fields: - ComputerName From 0cad38be3405a2e2310caeda34933c88927d2faa Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Tue, 25 Jan 2022 11:43:13 +0100 Subject: [PATCH 80/90] fix: Add filter for empty image to rule --- .../process_creation_susp_image_missing.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_susp_image_missing.yml b/rules/windows/process_creation/process_creation_susp_image_missing.yml index 0feb50481..2fc5ea632 100644 --- a/rules/windows/process_creation/process_creation_susp_image_missing.yml +++ b/rules/windows/process_creation/process_creation_susp_image_missing.yml @@ -15,8 +15,12 @@ logsource: detection: image_absolute_path: Image|contains: '\' - filter: + filter_null: Image: null + filter_empty: + Image: + - '-' + - '' filter_4688: - Image: 'Registry' - CommandLine: 'Registry' From 51d9aca239f4dfc12a16dcf997012eb3c9a47106 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Tue, 25 Jan 2022 11:46:16 +0100 Subject: [PATCH 81/90] chore: update modified date --- .../process_creation/process_creation_susp_image_missing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_susp_image_missing.yml b/rules/windows/process_creation/process_creation_susp_image_missing.yml index 2fc5ea632..32d736f8b 100644 --- a/rules/windows/process_creation/process_creation_susp_image_missing.yml +++ b/rules/windows/process_creation/process_creation_susp_image_missing.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2021/12/27 +modified: 2022/01/25 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: From 818b20b9490c9d3a81d40c7f4fadf6f1b95657ed Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 25 Jan 2022 19:58:18 +0100 Subject: [PATCH 82/90] add posh_ps_clear_powershell_history --- .../posh_ps_clear_powershell_history.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml new file mode 100644 index 000000000..9cc87d06f --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -0,0 +1,35 @@ +title: Clear PowerShell History +id: 26b692dc-1722-49b2-b496-a8258aa6371d +related: + - id: dfba4ce1-e0ea-495f-986e-97140f31af2d + type: derived +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +date: 2022/01/25 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_1: + ScriptBlockText|contains: + - 'del' + - 'Remove-Item' + - 'rm' + ScriptBlockText|contains|all: + - '(Get-PSReadlineOption).HistorySavePath' + selection_2: + ScriptBlockText|contains|all: + - 'Set-PSReadlineOption' + - '–HistorySaveStyle' + - 'SaveNothing' + condition: 1 of selection_* +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1070.003 \ No newline at end of file From b3b37719e7bef479c94e9147770246787b56143c Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Wed, 26 Jan 2022 08:12:49 -0700 Subject: [PATCH 83/90] Update sysmon_lsass_memdump.yml Updated Sysmon Lsass Memdump to detect other memory dumping techniques from mimikatz, nanodump, invoke-mimikatz, and so forth. This adds additional GrantedAccess permissions and adds ntdll.dll to CallTrace. Tested with Atomic Red Team T1003.001, MimiKatz, Invoke-Mimikatz and Cobalt Strike. --- .../process_access/sysmon_lsass_memdump.yml | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 6bc1708e1..8c065d62a 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -1,12 +1,15 @@ title: LSASS Memory Dump id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da status: experimental -description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 -author: Samir Bousseaden +description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. +author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2021/06/21 +modified: 2022/01/25 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html + - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md + - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ tags: - attack.credential_access - attack.t1003.001 @@ -17,11 +20,22 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - GrantedAccess: '0x1fffff' + GrantedAccess|contains: + - '0x1fffff' + - '0x01000' + - '0x1010' + - '0x1038' + - '0x40' + - '0x1400' + - '0x1410' + - '0x1438' + - '0x143a' + - '0x1000' CallTrace|contains: - 'dbghelp.dll' - 'dbgcore.dll' + - 'ntdll.dll' condition: selection falsepositives: - - unknown -level: high + - False positives are present when looking for 0x1410. Exclusions may be required. +level: high \ No newline at end of file From feedcee6bfd9d73616921b1fb3edf26f92c6099c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 Jan 2022 17:57:26 +0100 Subject: [PATCH 84/90] Update posh_ps_clear_powershell_history.yml --- .../powershell_script/posh_ps_clear_powershell_history.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index 9cc87d06f..d6747b799 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -19,8 +19,7 @@ detection: - 'del' - 'Remove-Item' - 'rm' - ScriptBlockText|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' + ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath' selection_2: ScriptBlockText|contains|all: - 'Set-PSReadlineOption' @@ -32,4 +31,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1070.003 \ No newline at end of file + - attack.t1070.003 From d52602dd5e4b5ba0325463dc78d1afe7fafc4762 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 Jan 2022 18:09:09 +0100 Subject: [PATCH 85/90] Update posh_ps_clear_powershell_history.yml --- .../powershell_script/posh_ps_clear_powershell_history.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index d6747b799..6e897ec73 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -19,7 +19,7 @@ detection: - 'del' - 'Remove-Item' - 'rm' - ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath' + ScriptBlockText|contains|all: '(Get-PSReadlineOption).HistorySavePath' selection_2: ScriptBlockText|contains|all: - 'Set-PSReadlineOption' From 82d5f4a511c88c952cace9a49775e2a589573898 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 Jan 2022 09:08:40 +0100 Subject: [PATCH 86/90] fix: too many false positives with certain access masks --- rules/windows/process_access/sysmon_lsass_memdump.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 8c065d62a..289f16f67 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2022/01/25 +modified: 2022/01/27 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -23,11 +23,11 @@ detection: GrantedAccess|contains: - '0x1fffff' - '0x01000' - - '0x1010' + #- '0x1010' # Too many false positives - '0x1038' - '0x40' - - '0x1400' - - '0x1410' + #- '0x1400' # Too many false positives + - '0x1410' - '0x1438' - '0x143a' - '0x1000' From c9249775762455fad39d80eb077a0fad8b697577 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Thu, 27 Jan 2022 12:36:19 +0100 Subject: [PATCH 87/90] Adding auditd rule for CVE-2021-4034 --- .../linux/auditd/lnx_auditd_cve_2021_4034.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_cve_2021_4034.yml diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml new file mode 100644 index 000000000..4e57e9ba6 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -0,0 +1,28 @@ +title: CVE-2021-4034 Exploitation Attempt +id: 40a016ab-4f48-4eee-adde-bbf612695c53 +description: Detects exploitation attempt of vulnerability described in CVE-2021-4034. +author: 'Pawel Mazur' +status: experimental +date: 2022/01/27 +references: + - https://github.com/berdav/CVE-2021-4034 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 + - https://access.redhat.com/security/cve/CVE-2021-4034 +logsource: + product: linux + service: auditd +detection: + proctitle: + type: PROCTITLE + proctitle: '(null)' + syscall: + type: SYSCALL + comm: pkexec + exe: '/usr/bin/pkexec' + condition: proctitle and syscall +tags: + - attack.privilege_escalation + - attack.tA0004 +falsepositives: + - unknown +level: high \ No newline at end of file From bd9b5172cd874d5be4d0800ccfb4ca5a9dd55464 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Thu, 27 Jan 2022 12:44:53 +0100 Subject: [PATCH 88/90] Update lnx_auditd_cve_2021_4034.yml --- rules/linux/auditd/lnx_auditd_cve_2021_4034.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index 4e57e9ba6..63c29c951 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -22,7 +22,7 @@ detection: condition: proctitle and syscall tags: - attack.privilege_escalation - - attack.tA0004 + - attack.T1068 falsepositives: - unknown -level: high \ No newline at end of file +level: high From c1c5ed0db73b10e53a6565eb0cfe48d43c1e1829 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Thu, 27 Jan 2022 12:55:22 +0100 Subject: [PATCH 89/90] Update lnx_auditd_cve_2021_4034.yml --- rules/linux/auditd/lnx_auditd_cve_2021_4034.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index 63c29c951..fd3531e09 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -22,7 +22,7 @@ detection: condition: proctitle and syscall tags: - attack.privilege_escalation - - attack.T1068 + - attack.t1068 falsepositives: - unknown level: high From 1aa7697ca807cd520533307f83a0ef59e02a95c3 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 27 Jan 2022 16:16:57 +0100 Subject: [PATCH 90/90] Update posh_ps_clear_powershell_history.yml --- .../powershell_script/posh_ps_clear_powershell_history.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index 6e897ec73..d1902e7f8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -19,7 +19,8 @@ detection: - 'del' - 'Remove-Item' - 'rm' - ScriptBlockText|contains|all: '(Get-PSReadlineOption).HistorySavePath' + ScriptBlockText|contains|all: + - '(Get-PSReadlineOption).HistorySavePath' selection_2: ScriptBlockText|contains|all: - 'Set-PSReadlineOption'